$30 off During Our Annual Pro Sale. View Details »

Keep your dependencies in check

Marit van Dijk
October 13, 2022
Programming
0
150

Keep your dependencies in check

If Log4Shell, Spring4Shell, etc. have taught us anything, it’s that we need to keep our dependencies up to date. But updating our applications can take a lot of time. How do we stay on top of that, while also continuing to deliver business value?

Luckily, there are plenty of tools that can help us with this, from package managers to bots that can automatically create changes on our repositories. Let’s go over some of the different options, so we can make informed choices about what’s best for us in a particular situation.

Marit van Dijk

October 13, 2022
Tweet

More Decks by Marit van Dijk

See All by Marit van Dijk
Reading code
mlvandijk
0
20
Keep your dependencies in check
mlvandijk
0
12
Reading Code
mlvandijk
0
110
Keep your dependencies in check
mlvandijk
0
9
Keep your dependencies in check
mlvandijk
0
19
Reading Code
mlvandijk
0
120
Reading code
mlvandijk
0
46
Keep your dependencies in check
mlvandijk
0
21
Reading code
mlvandijk
0
95

Other Decks in Programming

See All in Programming
Findy - エンジニア向け会社紹介 / Findy Letter for Engineers
findyinc
2
58k
Better Code Design in PHP
afilina
PRO
1
350
進化したWeb技術でPWAをネイティブアプリに近づける / frontend-conf-2023
yuhei_fujita
6
2.5k
DIGGLEの分析基盤アーキテクチャ
zakky21
0
110
実践PubSubマイクロサービス / Implementation Pub Sub microservice
nrslib
3
950
集団意思決定の落とし穴と誰も望まない技術的負債
h0r15h0
0
2.2k
From Spring Boot 2 to Spring Boot 3 with Java 21 and Jakarta EE
ivargrimstad
0
570
Modern Java for the Masses! Is Java Still Relevant?
deepu105
1
430
.NET 8世代のBlazorについて
tomokusaba
0
130
Expo Router は Expo 導入の決め手となるか フロントエンドカンファレンス沖縄2023 @Kaito-Dogi
doggy
3
1.6k
ChatGPTをソフトウェア開発に活用する
fbei_ot
0
120
Hono v3 and v4
yusukebe
4
2.6k

Featured

See All Featured
Practical Orchestrator
shlominoach
179
9.4k
What's new in Ruby 2.0
geeforr
336
30k
Why Our Code Smells
bkeepers
PRO
329
56k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.4k
Facilitating Awesome Meetings
lara
37
5.2k
How to Ace a Technical Interview
jacobian
272
22k
[RailsConf 2023] Rails as a piece of cake
palkan
16
3.1k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
225
51k
StorybookのUI Testing Handbookを読んだ
zakiyama
9
4.1k
Product Roadmaps are Hard
iamctodd
43
9.1k
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
130
9.8k
Testing 201, or: Great Expectations
jmmastey
26
6.1k

Transcript

  1. Keep your dependencies in check
    DevOxx - October 13th, 2022
    https://maritvandijk.com/ @MaritvanDijk77

    View Slide

  2. @MaritvanDijk77

    View Slide

  3. @MaritvanDijk77

    View Slide

  4. @MaritvanDijk77

    View Slide

  5. @MaritvanDijk77

    View Slide

  6. Dec. 2021
    @MaritvanDijk77

    View Slide

  7. @MaritvanDijk77

    View Slide

  8. @MaritvanDijk77

    View Slide

  9. @MaritvanDijk77

    View Slide

  10. March 2022
    @MaritvanDijk77

    View Slide

  11. @MaritvanDijk77

    View Slide

  12. @MaritvanDijk77

    View Slide

  13. @MaritvanDijk77

    View Slide

  14. @MaritvanDijk77

    View Slide

  15. @MaritvanDijk77
    Do we


    need


    this
    dependency?

    View Slide

  16. Selecting dependencies
    @MaritvanDijk77

    View Slide

  17. Selecting dependencies
    @MaritvanDijk77

    View Slide

  18. @MaritvanDijk77
    https://xkcd.com/2347/

    View Slide

  19. @MaritvanDijk77

    View Slide

  20. Selecting dependencies
    @MaritvanDijk77

    View Slide

  21. Selecting dependencies
    @MaritvanDijk77

    View Slide

  22. Selecting dependencies @MaritvanDijk77

    View Slide

  23. Selecting dependencies
    @MaritvanDijk77

    View Slide

  24. Dependency information
    @MaritvanDijk77
    https://search.maven.org/

    View Slide

  25. Dependency information
    @MaritvanDijk77
    https://search.maven.org/

    View Slide

  26. Dependency information
    @MaritvanDijk77
    https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/[email protected]

    View Slide

  27. Dependency information
    @MaritvanDijk77
    https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/[email protected]

    View Slide

  28. Dependency information
    @MaritvanDijk77
    https://mvnrepository.com/

    View Slide

  29. Dependency information
    @MaritvanDijk77
    https://mvnrepository.com/

    View Slide

  30. Dependency information
    @MaritvanDijk77
    https://github.com/

    View Slide

  31. Dependency information
    @MaritvanDijk77
    https://github.com/

    View Slide

  32. Dependency information
    @MaritvanDijk77
    https://package-search.jetbrains.com/

    View Slide

  33. Dependency information
    @MaritvanDijk77
    https://package-search.jetbrains.com/

    View Slide

  34. Dependency information
    @MaritvanDijk77
    https://package-search.jetbrains.com/

    View Slide

  35. No dependencies
    @MaritvanDijk77
    Maintain dependencies

    View Slide

  36. Maven
    • Overview of dependencies: `mvn dependency:tree`
    @MaritvanDijk77

    View Slide

  37. Maven
    • Check for updates: `mvn versions:display-dependency-updates`
    @MaritvanDijk77

    View Slide

  38. Maven
    • Analyse dependencies: `mvn dependency:analyze`
    @MaritvanDijk77

    View Slide

  39. Gradle
    • Overview of dependencies: `./gradlew dependencies`
    @MaritvanDijk77

    View Slide

  40. Gradle
    • Add plugin, e.g. gradle-versions-plugin


    • Run `./gradlew dependencyUpdates`
    @MaritvanDijk77

    View Slide

  41. IntelliJ IDEA: Community Edition
    • Alt + Enter
    @MaritvanDijk77

    View Slide

  42. IntelliJ IDEA: Community Edition
    • Alt + Enter
    @MaritvanDijk77

    View Slide

  43. IntelliJ IDEA: Ultimate Edition
    @MaritvanDijk77

    View Slide

  44. IntelliJ IDEA
    • Dependencies tab
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/package-search.html

    View Slide

  45. Downsides
    - Check out each individual project


    - Apply & verify updates
    @MaritvanDijk77

    View Slide

  46. Software Composition Analysis (SCA)
    • Scan all repos


    • Overview
    @MaritvanDijk77

    View Slide

  47. SCA: Pros & Cons
    + No need to check out repos individually


    - I have to check the dashboard
    @MaritvanDijk77

    View Slide

  48. @MaritvanDijk77
    Bots
    • Dependabot


    • Renovate


    • Snyk Open Source

    View Slide

  49. Dependabot
    • GitHub native


    • Includes:


    • Dependabot alerts


    • Dependabot security updates


    • Dependabot version updates
    @MaritvanDijk77

    View Slide

  50. Dependabot enable
    @MaritvanDijk77

    View Slide

  51. Dependabot alerts
    @MaritvanDijk77

    View Slide

  52. Dependabot security updates
    @MaritvanDijk77

    View Slide

  53. Dependabot version updates
    • Add dependabot.yml (impacts security updates)


    • Package manager & directory manifest file


    • Frequency (daily, weekly, or monthly)


    • Schedule (date, time, timezone)


    • Max. number of PR's (default 5)


    • Some details to manage PR's
    @MaritvanDijk77
    https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

    View Slide

  54. Renovate
    • By Mend


    • Available via GitHub App
    @MaritvanDijk77

    View Slide

  55. Renovate enable
    @MaritvanDijk77
    https://github.com/apps/renovate

    View Slide

  56. Renovate enable
    @MaritvanDijk77

    View Slide

  57. Renovate enable
    @MaritvanDijk77

    View Slide

  58. Renovate configuration
    • All repos or selected repos


    • Config file is created for you


    • Limit concurrent branches / PRs, hourly limit


    • More options


    • More fine-grained
    @MaritvanDijk77
    https://docs.renovatebot.com/configuration-options/

    View Slide

  59. Renovate PR
    @MaritvanDijk77
    https://docs.renovatebot.com/merge-confidence/

    View Slide

  60. Renovate Dashboard
    @MaritvanDijk77

    View Slide

  61. Snyk
    • Products:


    • Snyk Open Source


    • Snyk Code


    • Snyk Container


    • Snyk Infrastructure as Code


    • Snyk Cloud
    @MaritvanDijk77
    https://snyk.io/

    View Slide

  62. Snyk enable
    @MaritvanDijk77
    https://snyk.io/

    View Slide

  63. Snyk enable
    @MaritvanDijk77

    View Slide

  64. Snyk enable
    @MaritvanDijk77

    View Slide

  65. Snyk enable
    @MaritvanDijk77

    View Slide

  66. Snyk PR
    @MaritvanDijk77

    View Slide

  67. Snyk PR
    @MaritvanDijk77

    View Slide

  68. Snyk PR Check
    @MaritvanDijk77

    View Slide

  69. Snyk dashboard
    @MaritvanDijk77

    View Slide

  70. Snyk dashboard
    @MaritvanDijk77

    View Slide

  71. Snyk Open Source Configuration
    • Frequency (daily, weekly, never)


    • Enable/disable: New and/or known vulnerabilities


    • Enable/disable PRs for single project
    @MaritvanDijk77
    https://docs.snyk.io/products/snyk-open-source/open-source-basics

    View Slide

  72. Bots: Pros & Cons
    + Relatively easy to install


    + Automatic PRs


    - Manage PRs (merge & deploy)


    - No code changes (if needed)
    @MaritvanDijk77

    View Slide

  73. Error-prone
    • Static analysis tool for Java that catches common programming
    mistakes at compile-time.


    • Maven, Gradle, etc.


    • Bug patterns: https://errorprone.info/bugpatterns


    • Report or fix


    • Custom checks


    • Refaster: refactor code using before-and-after templates
    @MaritvanDijk77
    https://errorprone.info/

    View Slide

  74. Error-prone
    @MaritvanDijk77
    https://www.youtube.com/watch?v=NPuLeoIzIR0

    View Slide

  75. OpenRewrite
    • Source code refactoring for framework migrations, vulnerability
    patches, and API migrations with an early focus on the Java language


    • Maven & Gradle


    • Existing recipes (e.g. Java 8 -> 11, JUnit 4 -> 5)


    • Can author recipes
    @MaritvanDijk77
    https://docs.openrewrite.org/

    View Slide

  76. OpenRewrite
    @MaritvanDijk77
    https://www.youtube.com/watch?v=7fslFKkCkxg

    View Slide

  77. Conclusion
    •(Re)evaluate dependencies carefully


    •Automate checks & updates


    •Stay safe!
    @MaritvanDijk77

    View Slide

  78. Slides
    https://maritvandijk.com/presentations/keep-your-dependencies-in-check/


    @MaritvanDijk77

    View Slide