Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep your dependencies in check (FOSDEM)

Marit van Dijk
February 05, 2023
Programming
0
17

Keep your dependencies in check (FOSDEM)

If Log4Shell, Spring4Shell, etc. have taught us anything, it’s that we need to keep our dependencies up to date. But updating our applications can take a lot of time. How do we stay on top of that, while also continuing to deliver business value?

Luckily, there are plenty of tools that can help us with this, from package managers to bots that can automatically create changes on our repositories. Let’s go over some of the different options, so we can make informed choices about what’s best for us in a particular situation.

Marit van Dijk

February 05, 2023
Tweet

More Decks by Marit van Dijk

See All by Marit van Dijk
Keep your dependencies in check
mlvandijk
0
9
Code_Reading_Workshop_JUG-CH.pdf
mlvandijk
0
6
Keep_your_dependencies_in_check_BrabantJUG.pdf
mlvandijk
0
3
Use Testing to Develop Better Software Faster
mlvandijk
0
79
Keep your dependencies in check
mlvandijk
1
230
Keep your dependencies in check
mlvandijk
0
110
Keep your dependencies in check
mlvandijk
0
98
Use Testing to Develop Better Software Faster
mlvandijk
0
100
Collaborating on Open Source Software
mlvandijk
0
40

Other Decks in Programming

See All in Programming
ココナラにおけるジョーシス / Netskope適用に向けたアプローチ実録
coconala_engineer
0
160
クラウドネイティブ時代のコンテナ環境におけるJavaアプリケーションのメトリクス・ログ・トレースモニタリング
shintanimoto
4
1.3k
Употреба и скриптиране на Vim във ФМИ 2023
andrewradev
0
180
prototype大全 / YAPC::Kyoto 2023
utgwkk
0
570
K/NとNSKeyedArchiverと私
ryunen344
0
160
ゴーファーくんと学ぶGo言語の世界/golang-world-with-gopher
iwasiman
2
520
年間版1秒動画2023 大量配信の裏側 - MIXI TECH CONFERENCE 2023 DAY1
haman29
2
710
Androidアプリで安定して動作させ継続的に開発するために設計の原則を利用して開発した話
takahirom
0
630
UICollectionView Compositional Layout
usamik26
0
180
FlutterとMaterial3
dosukoi_android
0
290
PHPerがGoに入門してみた/PHPer introduction to Go.
fendo181
0
2.7k
Import Maps: The Next Evolution Step for Micro Frontends?
manfredsteyer
PRO
0
270

Featured

See All Featured
Fireside Chat
paigeccino
16
2k
Stop Working from a Prison Cell
hatefulcrawdad
264
18k
Pencils Down: Stop Designing & Start Developing
hursman
114
10k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
31
8.8k
Fantastic passwords and where to find them - at NoRuKo
philnash
32
1.9k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
22
1.7k
Design by the Numbers
sachag
271
18k
Git: the NoSQL Database
bkeepers
PRO
419
60k
Designing Experiences People Love
moore
130
22k
Making the Leap to Tech Lead
cromwellryan
117
7.7k
What the flash - Photography Introduction
edds
64
10k
Three Pipe Problems
jasonvnalue
89
9k

Transcript

  1. Keep your dependencies in check
    FOSDEM - February 5th, 2023
    https://maritvandijk.com/ @MaritvanDijk77

    View Slide

  2. @MaritvanDijk77

    View Slide

  3. @MaritvanDijk77

    View Slide

  4. @MaritvanDijk77

    View Slide

  5. @MaritvanDijk77

    View Slide

  6. Dec. 2021
    @MaritvanDijk77

    View Slide

  7. @MaritvanDijk77

    View Slide

  8. @MaritvanDijk77

    View Slide

  9. @MaritvanDijk77

    View Slide

  10. March 2022
    @MaritvanDijk77

    View Slide

  11. @MaritvanDijk77

    View Slide

  12. @MaritvanDijk77

    View Slide

  13. No dependencies
    @MaritvanDijk77
    Maintain dependencies

    View Slide

  14. Maven
    • Overview of dependencies: `mvn dependency:tree`
    @MaritvanDijk77

    View Slide

  15. Maven
    • Check for updates: `mvn versions:display-dependency-updates`
    @MaritvanDijk77

    View Slide

  16. Maven
    • Analyze dependencies: `mvn dependency:analyze`
    @MaritvanDijk77

    View Slide

  17. Gradle
    • Overview of dependencies: `./gradlew dependencies`
    @MaritvanDijk77

    View Slide

  18. Gradle
    • Add plugin, e.g. gradle-versions-plugin


    • Run `./gradlew dependencyUpdates`
    @MaritvanDijk77
    https://github.com/ben-manes/gradle-versions-plugin

    View Slide

  19. IntelliJ IDEA: View Dependencies
    @MaritvanDijk77

    View Slide

  20. IntelliJ IDEA: View Dependencies
    @MaritvanDijk77

    View Slide

  21. IntelliJ IDEA
    • Package Search: Add dependency
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/package-search.html

    View Slide

  22. IntelliJ IDEA
    • Package Search: Add dependency
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/package-search.html

    View Slide

  23. IntelliJ IDEA
    • Intention actions (⌥ ⏎ or Alt+Enter)
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/package-search.html

    View Slide

  24. IntelliJ IDEA
    • Intention actions (⌥ ⏎ or Alt+Enter)
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/package-search.html

    View Slide

  25. IntelliJ IDEA
    • Package search: Dependencies tool window
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/package-search.html

    View Slide

  26. IntelliJ IDEA
    • Package search: Dependencies tool window
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/package-search.html

    View Slide

  27. IntelliJ IDEA Ultimate
    @MaritvanDijk77
    • Package Checker

    View Slide

  28. IntelliJ IDEA Ultimate
    @MaritvanDijk77
    • Package Checker

    View Slide

  29. Downsides
    - Check out each individual project


    - Apply & verify updates
    @MaritvanDijk77

    View Slide

  30. Software Composition Analysis (SCA)
    • Scan all repos (and containers)


    • Overview
    @MaritvanDijk77

    View Slide

  31. SCA: Pros & Cons
    + No need to check out repos individually


    - I have to check the dashboard


    - Apply & verify updates
    @MaritvanDijk77

    View Slide

  32. @MaritvanDijk77
    Bots
    • Dependabot


    • Renovate


    • Snyk Open Source

    View Slide

  33. Dependabot
    • GitHub native


    • Features:


    • Alerts


    • Security updates


    • Version updates
    @MaritvanDijk77

    View Slide

  34. Dependabot enable
    @MaritvanDijk77

    View Slide

  35. Dependabot alerts
    @MaritvanDijk77

    View Slide

  36. Dependabot security updates
    @MaritvanDijk77

    View Slide

  37. Dependabot version updates
    • Add dependabot.yml (impacts security updates)


    • Package manager & directory manifest file


    • Frequency (daily, weekly, or monthly)


    • Schedule (date, time, timezone)


    • Max. number of PR's (default 5)


    • Some details to manage PR's
    @MaritvanDijk77
    https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

    View Slide

  38. Renovate
    • Available via GitHub App


    • Features:


    • Security updates


    • Version updates


    • Project dashboard


    • Job dashboard
    @MaritvanDijk77

    View Slide

  39. Renovate enable
    @MaritvanDijk77
    https://github.com/apps/renovate

    View Slide

  40. Renovate enable - 2
    @MaritvanDijk77

    View Slide

  41. Renovate enable - 3
    @MaritvanDijk77

    View Slide

  42. Renovate configuration
    • All repos or selected repos


    • Config file is created for you


    • Max. number of PR's / concurrent branches


    • More options


    • More fine-grained
    @MaritvanDijk77
    https://docs.renovatebot.com/configuration-options/

    View Slide

  43. Renovate PR
    @MaritvanDijk77
    https://docs.renovatebot.com/merge-confidence/

    View Slide

  44. Renovate Dashboard: Project
    @MaritvanDijk77

    View Slide

  45. Renovate Dashboard: Jobs
    @MaritvanDijk77

    View Slide

  46. Snyk Open Source
    • Available via Snyk


    • Features:


    • Security updates


    • Version updates


    • Test for new vulnerabilities (on PRs)


    • Test for vulnerabilities in source code


    • Dashboards
    @MaritvanDijk77
    https://snyk.io/

    View Slide

  47. Snyk enable
    @MaritvanDijk77
    https://snyk.io/

    View Slide

  48. Snyk enable - 2
    @MaritvanDijk77

    View Slide

  49. Snyk enable - 3
    @MaritvanDijk77

    View Slide

  50. Snyk enable - 4
    @MaritvanDijk77

    View Slide

  51. Snyk PR
    @MaritvanDijk77

    View Slide

  52. Snyk PR
    @MaritvanDijk77

    View Slide

  53. Snyk PR Check
    @MaritvanDijk77

    View Slide

  54. Snyk dashboard
    @MaritvanDijk77

    View Slide

  55. Snyk Open Source Configuration
    • Frequency (daily, weekly, never)


    • Enable/disable: New and/or known vulnerabilities


    • Enable/disable PR's for single project
    @MaritvanDijk77
    https://docs.snyk.io/products/snyk-open-source/open-source-basics

    View Slide

  56. Bots: Pros & Cons
    + Relatively easy to install


    + Automatic PR's


    - Can create "noise"


    - Manage PRs (merge & deploy)


    - No code changes (if needed)
    @MaritvanDijk77

    View Slide

  57. Migration tools
    @MaritvanDijk77

    View Slide

  58. IntelliJ IDEA
    • Migrate Packages and Classes
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/migrate.html

    View Slide

  59. IntelliJ IDEA
    • Create New Migration
    @MaritvanDijk77

    View Slide

  60. IntelliJ IDEA
    • Create New Migration
    @MaritvanDijk77

    View Slide

  61. Error Prone
    • Static analysis tool for Java that catches common programming
    mistakes at compile-time.


    • Maven, Gradle, etc.


    • IntelliJ IDEA / Eclipse plugin, Command line


    • Bug patterns


    • Report or fix


    • Custom checks


    • Includes Refaster: refactor code using before-and-after templates
    @MaritvanDijk77
    https://errorprone.info/

    View Slide

  62. OpenRewrite
    • Source code refactoring for framework migrations, vulnerability
    patches, and API migrations


    • Early focus on Java


    • Maven & Gradle


    • Existing recipes


    • Can author recipes
    @MaritvanDijk77
    https://docs.openrewrite.org/

    View Slide

  63. Conclusion
    •(Re)evaluate dependencies carefully


    •Automate checks & updates


    •Stay safe!
    @MaritvanDijk77

    View Slide

  64. Slides
    https://maritvandijk.com/presentations/keep-your-dependencies-in-check/


    @MaritvanDijk77

    View Slide