Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep your dependencies in check - JoziJUG

Keep your dependencies in check - JoziJUG

If Log4Shell, Spring4Shell, etc. have taught us anything, it’s that we need to keep our dependencies up to date. But updating our applications can take a lot of time. How do we stay on top of that, while also continuing to deliver business value?

Luckily, there are plenty of tools that can help us with this, from package managers to bots that can automatically create changes on our repositories. Let’s go over some of the different options, so we can make informed choices about what’s best for us in a particular situation.

Marit van Dijk

September 26, 2022
Tweet

More Decks by Marit van Dijk

Other Decks in Technology

Transcript

  1. Keep your dependencies in check Jozi-JUG - September 26st, 2022

    https://maritvandijk.com/ @MaritvanDijk77
  2. SCA: Pros & Cons + No need to check out

    repos individually - I have to check the dashboard @MaritvanDijk77
  3. Dependabot • GitHub native • Includes: • Dependabot alerts •

    Dependabot security updates • Dependabot version updates @MaritvanDijk77
  4. Dependabot version updates • Add dependabot.yml (impacts security updates) •

    Package manager & directory manifest file • Frequency (daily, weekly, or monthly) • Schedule (date, time, timezone) • Max. number of PR's (default 5) • Some details to manage PR's @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
  5. Renovate configuration • All repos or selected repos • Config

    file is created for you • Limit concurrent branches / PRs, hourly limit • More options • More fine-grained @MaritvanDijk77 https://docs.renovatebot.com/configuration-options/
  6. Snyk • Products: • Snyk Open Source • Snyk Code

    • Snyk Container • Snyk Infrastructure as Code • Snyk Cloud @MaritvanDijk77 https://snyk.io/
  7. Snyk Open Source Configuration • Frequency (daily, weekly, never) •

    Enable/disable: New and/or known vulnerabilities • Enable/disable PRs for single project @MaritvanDijk77 https://docs.snyk.io/products/snyk-open-source/open-source-basics
  8. Bots: Pros & Cons + Relatively easy to install +

    Automatic PRs - Manage PRs (merge & deploy) - No code changes (if needed) @MaritvanDijk77
  9. Bots: Pros & Cons + Relatively easy to install +

    Automatic PRs - Manage PRs (merge & deploy) - No code changes (if needed) @MaritvanDijk77
  10. Error-prone • Static analysis tool for Java that catches common

    programming mistakes at compile-time. • Maven, Gradle, etc. • Bug patterns: https://errorprone.info/bugpatterns • Report or fix • Custom checks • Refaster: refactor code using before-and-after templates @MaritvanDijk77 https://errorprone.info/
  11. OpenRewrite • Source code refactoring for framework migrations, vulnerability patches,

    and API migrations with an early focus on the Java language • Maven & Gradle • Existing recipes (e.g. Java 8 -> 11, JUnit 4 -> 5) • Can author recipes @MaritvanDijk77 https://docs.openrewrite.org/