Keep your dependencies in check (FOSDEM)

Transcript

1. Keep your dependencies in check FOSDEM - February 5th, 2023

   https://maritvandijk.com/ @MaritvanDijk77

2. @MaritvanDijk77

3. @MaritvanDijk77

4. @MaritvanDijk77

5. @MaritvanDijk77

6. Dec. 2021 @MaritvanDijk77

7. @MaritvanDijk77

8. @MaritvanDijk77

9. @MaritvanDijk77

10. March 2022 @MaritvanDijk77

11. @MaritvanDijk77

12. @MaritvanDijk77

13. No dependencies @MaritvanDijk77 Maintain dependencies

14. Maven • Overview of dependencies: `mvn dependency:tree` @MaritvanDijk77

15. Maven • Check for updates: `mvn versions:display-dependency-updates` @MaritvanDijk77

16. Maven • Analyze dependencies: `mvn dependency:analyze` @MaritvanDijk77

17. Gradle • Overview of dependencies: `./gradlew dependencies` @MaritvanDijk77

18. Gradle • Add plugin, e.g. gradle-versions-plugin • Run `./gradlew dependencyUpdates`

    @MaritvanDijk77 https://github.com/ben-manes/gradle-versions-plugin

19. IntelliJ IDEA: View Dependencies @MaritvanDijk77

20. IntelliJ IDEA: View Dependencies @MaritvanDijk77

21. IntelliJ IDEA • Package Search: Add dependency @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

22. IntelliJ IDEA • Package Search: Add dependency @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

23. IntelliJ IDEA • Intention actions (⌥ ⏎ or Alt+Enter) @MaritvanDijk77

    https://www.jetbrains.com/help/idea/package-search.html

24. IntelliJ IDEA • Intention actions (⌥ ⏎ or Alt+Enter) @MaritvanDijk77

    https://www.jetbrains.com/help/idea/package-search.html

25. IntelliJ IDEA • Package search: Dependencies tool window @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

26. IntelliJ IDEA • Package search: Dependencies tool window @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

27. IntelliJ IDEA Ultimate @MaritvanDijk77 • Package Checker

28. IntelliJ IDEA Ultimate @MaritvanDijk77 • Package Checker

29. Downsides - Check out each individual project - Apply &

    verify updates @MaritvanDijk77

30. Software Composition Analysis (SCA) • Scan all repos (and containers)

    • Overview @MaritvanDijk77

31. SCA: Pros & Cons + No need to check out

    repos individually - I have to check the dashboard - Apply & verify updates @MaritvanDijk77

32. @MaritvanDijk77 Bots • Dependabot • Renovate • Snyk Open Source

33. Dependabot • GitHub native • Features: • Alerts • Security

    updates • Version updates @MaritvanDijk77

34. Dependabot enable @MaritvanDijk77

35. Dependabot alerts @MaritvanDijk77

36. Dependabot security updates @MaritvanDijk77

37. Dependabot version updates • Add dependabot.yml (impacts security updates) •

    Package manager & directory manifest file • Frequency (daily, weekly, or monthly) • Schedule (date, time, timezone) • Max. number of PR's (default 5) • Some details to manage PR's @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

38. Renovate • Available via GitHub App • Features: • Security

    updates • Version updates • Project dashboard • Job dashboard @MaritvanDijk77

39. Renovate enable @MaritvanDijk77 https://github.com/apps/renovate

40. Renovate enable - 2 @MaritvanDijk77

41. Renovate enable - 3 @MaritvanDijk77

42. Renovate configuration • All repos or selected repos • Config

    file is created for you • Max. number of PR's / concurrent branches • More options • More fine-grained @MaritvanDijk77 https://docs.renovatebot.com/configuration-options/

43. Renovate PR @MaritvanDijk77 https://docs.renovatebot.com/merge-confidence/

44. Renovate Dashboard: Project @MaritvanDijk77

45. Renovate Dashboard: Jobs @MaritvanDijk77

46. Snyk Open Source • Available via Snyk • Features: •

    Security updates • Version updates • Test for new vulnerabilities (on PRs) • Test for vulnerabilities in source code • Dashboards @MaritvanDijk77 https://snyk.io/

47. Snyk enable @MaritvanDijk77 https://snyk.io/

48. Snyk enable - 2 @MaritvanDijk77

49. Snyk enable - 3 @MaritvanDijk77

50. Snyk enable - 4 @MaritvanDijk77

51. Snyk PR @MaritvanDijk77

52. Snyk PR @MaritvanDijk77

53. Snyk PR Check @MaritvanDijk77

54. Snyk dashboard @MaritvanDijk77

55. Snyk Open Source Configuration • Frequency (daily, weekly, never) •

    Enable/disable: New and/or known vulnerabilities • Enable/disable PR's for single project @MaritvanDijk77 https://docs.snyk.io/products/snyk-open-source/open-source-basics

56. Bots: Pros & Cons + Relatively easy to install +

    Automatic PR's - Can create "noise" - Manage PRs (merge & deploy) - No code changes (if needed) @MaritvanDijk77

57. Migration tools @MaritvanDijk77

58. IntelliJ IDEA • Migrate Packages and Classes @MaritvanDijk77 https://www.jetbrains.com/help/idea/migrate.html

59. IntelliJ IDEA • Create New Migration @MaritvanDijk77

60. IntelliJ IDEA • Create New Migration @MaritvanDijk77

61. Error Prone • Static analysis tool for Java that catches

    common programming mistakes at compile-time. • Maven, Gradle, etc. • IntelliJ IDEA / Eclipse plugin, Command line • Bug patterns • Report or fix • Custom checks • Includes Refaster: refactor code using before-and-after templates @MaritvanDijk77 https://errorprone.info/

62. OpenRewrite • Source code refactoring for framework migrations, vulnerability patches,

    and API migrations • Early focus on Java • Maven & Gradle • Existing recipes • Can author recipes @MaritvanDijk77 https://docs.openrewrite.org/

63. Conclusion •(Re)evaluate dependencies carefully •Automate checks & updates •Stay safe!

    @MaritvanDijk77

64. Slides https://maritvandijk.com/presentations/keep-your-dependencies-in-check/ @MaritvanDijk77