$30 off During Our Annual Pro Sale. View Details »

Keep your dependencies in check - JoziJUG

Marit van Dijk
September 26, 2022
Technology
0
51

Keep your dependencies in check - JoziJUG

If Log4Shell, Spring4Shell, etc. have taught us anything, it’s that we need to keep our dependencies up to date. But updating our applications can take a lot of time. How do we stay on top of that, while also continuing to deliver business value?

Luckily, there are plenty of tools that can help us with this, from package managers to bots that can automatically create changes on our repositories. Let’s go over some of the different options, so we can make informed choices about what’s best for us in a particular situation.

Marit van Dijk

September 26, 2022
Tweet

More Decks by Marit van Dijk

See All by Marit van Dijk
Reading code
mlvandijk
0
21
Keep your dependencies in check
mlvandijk
0
14
Reading Code
mlvandijk
0
110
Keep your dependencies in check
mlvandijk
0
9
Keep your dependencies in check
mlvandijk
0
22
Reading Code
mlvandijk
0
130
Reading code
mlvandijk
0
49
Keep your dependencies in check
mlvandijk
0
23
Reading code
mlvandijk
0
97

Other Decks in Technology

See All in Technology
エンタープライズSaaSへの挑戦〜顧客の事業を成長させるプロダクトマネジメントとは?〜 / pmconf2023
route06
2
920
Garoon 開発チーム / Garoon development team
cybozuinsideout
PRO
0
2.2k
Exploring Postgres VACUUM with the VACUUM Simulator
keiko713
5
710
Building smarter apps with machine learning, from magic to reality
picardparis
4
3.7k
APIシナリオテストツールとしてのrunn / 4 API testing tools
k1low
1
430
生成AIでシステム開発はどう変わるか
etaroid
17
7.5k
Honoが良さそう🔥
is_ryo
0
180
SRE推進における失敗と成功 〜く"し"け"な"い"〜 - NIFTY Tech Day 2023
niftycorp
0
120
re:Invent2023で登場した運用開発用の可視化ツールたちを実際に見てみよう
yoshimi0227
0
150
RealSense T265とD415とUFACTORY Lite 6で模倣学習の実験
hygradme
0
350
Amazon Bedrock を利用したAIチャットボット開発
yukimatsuyoshi
1
490
pmconf 2023 プロダクトと事業を無限にスケールするための最強のロードマップの作り方 / The Greatest Roadmap for Unlimited Scaling your Business and Products
yamamuteki
15
8.9k

Featured

See All Featured
Writing Fast Ruby
sferik
615
59k
A Tale of Four Properties
chriscoyier
150
22k
A Philosophy of Restraint
colly
194
15k
For a Future-Friendly Web
brad_frost
168
8.4k
10 Git Anti Patterns You Should be Aware of
lemiorhan
645
57k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
6
7.3k
In The Pink: A Labor of Love
frogandcode
135
21k
Scaling GitHub
holman
455
140k
Agile that works and the tools we love
rasmusluckow
323
20k
Designing for Performance
lara
601
66k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
113
17k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
15
1.7k

Transcript

  1. Keep your dependencies in check
    Jozi-JUG - September 26st, 2022
    https://maritvandijk.com/ @MaritvanDijk77

    View Slide

  2. @MaritvanDijk77

    View Slide

  3. @MaritvanDijk77

    View Slide

  4. @MaritvanDijk77

    View Slide

  5. @MaritvanDijk77

    View Slide

  6. Dec. 2021
    @MaritvanDijk77

    View Slide

  7. @MaritvanDijk77

    View Slide

  8. @MaritvanDijk77

    View Slide

  9. @MaritvanDijk77

    View Slide

  10. March 2022
    @MaritvanDijk77

    View Slide

  11. @MaritvanDijk77

    View Slide

  12. @MaritvanDijk77

    View Slide

  13. @MaritvanDijk77

    View Slide

  14. @MaritvanDijk77

    View Slide

  15. @MaritvanDijk77
    Do we


    need


    this
    dependency?

    View Slide

  16. Selecting dependencies
    @MaritvanDijk77

    View Slide

  17. Selecting dependencies
    @MaritvanDijk77

    View Slide

  18. @MaritvanDijk77
    https://xkcd.com/2347/

    View Slide

  19. Selecting dependencies
    @MaritvanDijk77

    View Slide

  20. Selecting dependencies
    @MaritvanDijk77

    View Slide

  21. Selecting dependencies
    @MaritvanDijk77

    View Slide

  22. Dependency information
    @MaritvanDijk77
    https://mvnrepository.com/

    View Slide

  23. Dependency information
    @MaritvanDijk77
    https://mvnrepository.com/
    Link to https://cve.mitre.org/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36518

    View Slide

  24. Dependency information
    @MaritvanDijk77
    https://github.com/

    View Slide

  25. Dependency information
    @MaritvanDijk77
    https://package-search.jetbrains.com/

    View Slide

  26. Dependency information
    @MaritvanDijk77
    https://package-search.jetbrains.com/

    View Slide

  27. No dependencies
    @MaritvanDijk77
    Maintain dependencies

    View Slide

  28. Maven
    • Overview of dependencies: `mvn dependency:tree`
    @MaritvanDijk77

    View Slide

  29. Maven
    • Check for updates: `mvn versions:display-dependency-updates`
    @MaritvanDijk77

    View Slide

  30. Maven
    • Analyse dependencies: `mvn dependency:analyze`
    @MaritvanDijk77

    View Slide

  31. Gradle
    • Overview of dependencies: `./gradlew dependencies`
    @MaritvanDijk77

    View Slide

  32. Gradle
    • Add plugin, e.g. gradle-versions-plugin


    • Run `./gradlew dependencyUpdates`
    @MaritvanDijk77

    View Slide

  33. IntelliJ IDEA: Community Edition
    • Alt + Enter
    @MaritvanDijk77

    View Slide

  34. IntelliJ IDEA: Community Edition
    • Alt + Enter
    @MaritvanDijk77

    View Slide

  35. IntelliJ IDEA: Ultimate Edition
    @MaritvanDijk77

    View Slide

  36. Downsides
    - Check out each individual project


    - Apply & verify updates
    @MaritvanDijk77

    View Slide

  37. Software Composition Analysis (SCA)
    • Scan all repos


    • Overview
    @MaritvanDijk77

    View Slide

  38. SCA: Pros & Cons
    + No need to check out repos individually


    - I have to check the dashboard
    @MaritvanDijk77

    View Slide

  39. @MaritvanDijk77
    Bots
    • Dependabot


    • Renovate


    • Snyk Open Source

    View Slide

  40. Dependabot
    • GitHub native


    • Includes:


    • Dependabot alerts


    • Dependabot security updates


    • Dependabot version updates
    @MaritvanDijk77

    View Slide

  41. Dependabot enable
    @MaritvanDijk77

    View Slide

  42. Dependabot alerts
    @MaritvanDijk77

    View Slide

  43. Dependabot security updates
    @MaritvanDijk77

    View Slide

  44. Dependabot version updates
    • Add dependabot.yml (impacts security updates)


    • Package manager & directory manifest file


    • Frequency (daily, weekly, or monthly)


    • Schedule (date, time, timezone)


    • Max. number of PR's (default 5)


    • Some details to manage PR's
    @MaritvanDijk77
    https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

    View Slide

  45. Renovate
    • By Mend


    • Available via GitHub App
    @MaritvanDijk77

    View Slide

  46. Renovate enable
    @MaritvanDijk77
    https://github.com/apps/renovate

    View Slide

  47. Renovate enable
    @MaritvanDijk77

    View Slide

  48. Renovate enable
    @MaritvanDijk77

    View Slide

  49. Renovate configuration
    • All repos or selected repos


    • Config file is created for you


    • Limit concurrent branches / PRs, hourly limit


    • More options


    • More fine-grained
    @MaritvanDijk77
    https://docs.renovatebot.com/configuration-options/

    View Slide

  50. Renovate PR
    @MaritvanDijk77
    https://docs.renovatebot.com/merge-confidence/

    View Slide

  51. Renovate Dashboard
    @MaritvanDijk77

    View Slide

  52. Snyk
    • Products:


    • Snyk Open Source


    • Snyk Code


    • Snyk Container


    • Snyk Infrastructure as Code


    • Snyk Cloud
    @MaritvanDijk77
    https://snyk.io/

    View Slide

  53. Snyk enable
    @MaritvanDijk77
    https://snyk.io/

    View Slide

  54. Snyk enable
    @MaritvanDijk77

    View Slide

  55. Snyk enable
    @MaritvanDijk77

    View Slide

  56. Snyk enable
    @MaritvanDijk77

    View Slide

  57. Snyk PR
    @MaritvanDijk77

    View Slide

  58. Snyk PR
    @MaritvanDijk77

    View Slide

  59. Snyk PR Check
    @MaritvanDijk77

    View Slide

  60. Snyk dashboard
    @MaritvanDijk77

    View Slide

  61. Snyk dashboard
    @MaritvanDijk77

    View Slide

  62. Snyk Open Source Configuration
    • Frequency (daily, weekly, never)


    • Enable/disable: New and/or known vulnerabilities


    • Enable/disable PRs for single project
    @MaritvanDijk77
    https://docs.snyk.io/products/snyk-open-source/open-source-basics

    View Slide

  63. Bots: Pros & Cons
    + Relatively easy to install


    + Automatic PRs


    - Manage PRs (merge & deploy)


    - No code changes (if needed)
    @MaritvanDijk77

    View Slide

  64. Bots: Pros & Cons
    + Relatively easy to install


    + Automatic PRs


    - Manage PRs (merge & deploy)


    - No code changes (if needed)
    @MaritvanDijk77

    View Slide

  65. Error-prone
    • Static analysis tool for Java that catches common programming
    mistakes at compile-time.


    • Maven, Gradle, etc.


    • Bug patterns: https://errorprone.info/bugpatterns


    • Report or fix


    • Custom checks


    • Refaster: refactor code using before-and-after templates
    @MaritvanDijk77
    https://errorprone.info/

    View Slide

  66. Error-prone
    @MaritvanDijk77
    https://www.youtube.com/watch?v=NPuLeoIzIR0

    View Slide

  67. OpenRewrite
    • Source code refactoring for framework migrations, vulnerability
    patches, and API migrations with an early focus on the Java language


    • Maven & Gradle


    • Existing recipes (e.g. Java 8 -> 11, JUnit 4 -> 5)


    • Can author recipes
    @MaritvanDijk77
    https://docs.openrewrite.org/

    View Slide

  68. Conclusion
    • (Re)evaluate dependencies carefully


    • Automate checks & updates


    • Stay safe!
    @MaritvanDijk77

    View Slide

  69. Slides
    https://maritvandijk.com/presentations/keep-your-dependencies-in-check/


    @MaritvanDijk77

    View Slide