Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep your dependencies in check - JoziJUG

Avatar for Marit van Dijk Marit van Dijk
September 26, 2022
Technology
0
59

Keep your dependencies in check - JoziJUG

If Log4Shell, Spring4Shell, etc. have taught us anything, it’s that we need to keep our dependencies up to date. But updating our applications can take a lot of time. How do we stay on top of that, while also continuing to deliver business value?

Luckily, there are plenty of tools that can help us with this, from package managers to bots that can automatically create changes on our repositories. Let’s go over some of the different options, so we can make informed choices about what’s best for us in a particular situation.
Avatar for Marit van Dijk

Marit van Dijk

September 26, 2022
Tweet

More Decks by Marit van Dijk

See All by Marit van Dijk
Reading Code (GeeCON Kraków)
Avatar for Marit van Dijk mlvandijk
0
5
TDD: Test-Driven Development vs Tab-Driven Development (JCON)
Avatar for Marit van Dijk mlvandijk
0
16
public static void main (JCON)
Avatar for Marit van Dijk mlvandijk
0
2
Learning modern Java the playful way (Devoxx UK)
Avatar for Marit van Dijk mlvandijk
0
6
Reading Code (Devoxx UK)
Avatar for Marit van Dijk mlvandijk
0
5
TDD: Test-Driven Development vs Tab-Driven Development
Avatar for Marit van Dijk mlvandijk
0
130
Reading Code (Duke turns 30)
Avatar for Marit van Dijk mlvandijk
1
40
TDD: Test-Driven Development vs TAB-Driven Development (Devnexus)
Avatar for Marit van Dijk mlvandijk
0
46
Reading Code (NDC London)
Avatar for Marit van Dijk mlvandijk
0
33

Other Decks in Technology

See All in Technology
大規模サーバーレスプロジェクトのリアルな零れ話
Avatar for mai miya maimyyym
3
220
CARTA HOLDINGS エンジニア向け 採用ピッチ資料 / CARTA-GUIDE-for-Engineers
Avatar for CARTA Engineering carta_engineering
0
27k
Google Cloud Next 2025 Recap マーケティング施策の運用及び開発を支援するAIの活用 / Use of AI to support operation and development of marketing campaign
Avatar for Atsushi Yoshikawa atsushiyoshikawa
0
200
テストコードにはテストの意図を込めよう(2025年版) #retechtalk / Put the intent of the test 2025
Avatar for nihonbuson nihonbuson
PRO
6
1.3k
Kaigi Effect 2025 #rubykaigi2025_after
Avatar for sue445 sue445
0
130
Serverlessだからこそコードと設計にはこだわろう
Avatar for Ken'ichirou Kimura kenichirokimura
2
1k
AI-in-the-Enterprise|OpenAIが公開した「AI導入7つの教訓」——ChatGPTで変わる企業の未来とは?
Avatar for CUSTOMER CLOUD CORP. customercloud
PRO
0
160
Datadog のトライアルを成功に導く技術 / Techniques for a successful Datadog trial
Avatar for 株式会社ヌーラボ nulabinc
PRO
0
150
事業と組織から目を逸らずに技術でリードする
Avatar for ogugu ogugu9
7
870
AIによるコードレビューで開発体験を向上させよう!
Avatar for Atsushi Nakatsugawa moongift
PRO
0
430
Next.jsと状態管理のプラクティス
Avatar for uhyo uhyo
6
2.1k
激動の一年を通じて見えてきた「技術でリードする」ということ
Avatar for ktr ktr_0731
5
4.4k

Featured

See All Featured
Docker and Python
Avatar for Tania Allard trallard
44
3.4k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
35
2.7k
Automating Front-end Workflow
Avatar for Addy Osmani addyosmani
1370
200k
The Straight Up "How To Draw Better" Workshop
Avatar for Dennis Kardys denniskardys
233
140k
Done Done
Avatar for chrislema chrislema
184
16k
YesSQL, Process and Tooling at Scale
Avatar for Rocio Delgado rocio
172
14k
What’s in a name? Adding method to the madness
Avatar for Product Marketing Alliance productmarketing
PRO
22
3.4k
Art, The Web, and Tiny UX
Avatar for Lynn Fisher lynnandtonic
298
20k
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
41
2.3k
Java REST API Framework Comparison - PWX 2021
Avatar for Matt Raible mraible
31
8.6k
The Art of Delivering Value - GDevCon NA Keynote
Avatar for David Neal reverentgeek
14
1.5k
Code Reviewing Like a Champion
Avatar for maltzj maltzj
523
40k

Transcript

  1. Keep your dependencies in check Jozi-JUG - September 26st, 2022

    https://maritvandijk.com/ @MaritvanDijk77

  2. @MaritvanDijk77

  3. @MaritvanDijk77

  4. @MaritvanDijk77

  5. @MaritvanDijk77

  6. Dec. 2021 @MaritvanDijk77

  7. @MaritvanDijk77

  8. @MaritvanDijk77

  9. @MaritvanDijk77

  10. March 2022 @MaritvanDijk77

  11. @MaritvanDijk77

  12. @MaritvanDijk77

  13. @MaritvanDijk77

  14. @MaritvanDijk77

  15. @MaritvanDijk77 Do we need this dependency?

  16. Selecting dependencies @MaritvanDijk77

  17. Selecting dependencies @MaritvanDijk77

  18. @MaritvanDijk77 https://xkcd.com/2347/

  19. Selecting dependencies @MaritvanDijk77

  20. Selecting dependencies @MaritvanDijk77

  21. Selecting dependencies @MaritvanDijk77

  22. Dependency information @MaritvanDijk77 https://mvnrepository.com/

  23. Dependency information @MaritvanDijk77 https://mvnrepository.com/ Link to https://cve.mitre.org/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36518

  24. Dependency information @MaritvanDijk77 https://github.com/

  25. Dependency information @MaritvanDijk77 https://package-search.jetbrains.com/

  26. Dependency information @MaritvanDijk77 https://package-search.jetbrains.com/

  27. No dependencies @MaritvanDijk77 Maintain dependencies

  28. Maven • Overview of dependencies: `mvn dependency:tree` @MaritvanDijk77

  29. Maven • Check for updates: `mvn versions:display-dependency-updates` @MaritvanDijk77

  30. Maven • Analyse dependencies: `mvn dependency:analyze` @MaritvanDijk77

  31. Gradle • Overview of dependencies: `./gradlew dependencies` @MaritvanDijk77

  32. Gradle • Add plugin, e.g. gradle-versions-plugin • Run `./gradlew dependencyUpdates`

    @MaritvanDijk77

  33. IntelliJ IDEA: Community Edition • Alt + Enter @MaritvanDijk77

  34. IntelliJ IDEA: Community Edition • Alt + Enter @MaritvanDijk77

  35. IntelliJ IDEA: Ultimate Edition @MaritvanDijk77

  36. Downsides - Check out each individual project - Apply &

    verify updates @MaritvanDijk77

  37. Software Composition Analysis (SCA) • Scan all repos • Overview

    @MaritvanDijk77

  38. SCA: Pros & Cons + No need to check out

    repos individually - I have to check the dashboard @MaritvanDijk77

  39. @MaritvanDijk77 Bots • Dependabot • Renovate • Snyk Open Source

  40. Dependabot • GitHub native • Includes: • Dependabot alerts •

    Dependabot security updates • Dependabot version updates @MaritvanDijk77

  41. Dependabot enable @MaritvanDijk77

  42. Dependabot alerts @MaritvanDijk77

  43. Dependabot security updates @MaritvanDijk77

  44. Dependabot version updates • Add dependabot.yml (impacts security updates) •

    Package manager & directory manifest file • Frequency (daily, weekly, or monthly) • Schedule (date, time, timezone) • Max. number of PR's (default 5) • Some details to manage PR's @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

  45. Renovate • By Mend • Available via GitHub App @MaritvanDijk77

  46. Renovate enable @MaritvanDijk77 https://github.com/apps/renovate

  47. Renovate enable @MaritvanDijk77

  48. Renovate enable @MaritvanDijk77

  49. Renovate configuration • All repos or selected repos • Config

    file is created for you • Limit concurrent branches / PRs, hourly limit • More options • More fine-grained @MaritvanDijk77 https://docs.renovatebot.com/configuration-options/

  50. Renovate PR @MaritvanDijk77 https://docs.renovatebot.com/merge-confidence/

  51. Renovate Dashboard @MaritvanDijk77

  52. Snyk • Products: • Snyk Open Source • Snyk Code

    • Snyk Container • Snyk Infrastructure as Code • Snyk Cloud @MaritvanDijk77 https://snyk.io/

  53. Snyk enable @MaritvanDijk77 https://snyk.io/

  54. Snyk enable @MaritvanDijk77

  55. Snyk enable @MaritvanDijk77

  56. Snyk enable @MaritvanDijk77

  57. Snyk PR @MaritvanDijk77

  58. Snyk PR @MaritvanDijk77

  59. Snyk PR Check @MaritvanDijk77

  60. Snyk dashboard @MaritvanDijk77

  61. Snyk dashboard @MaritvanDijk77

  62. Snyk Open Source Configuration • Frequency (daily, weekly, never) •

    Enable/disable: New and/or known vulnerabilities • Enable/disable PRs for single project @MaritvanDijk77 https://docs.snyk.io/products/snyk-open-source/open-source-basics

  63. Bots: Pros & Cons + Relatively easy to install +

    Automatic PRs - Manage PRs (merge & deploy) - No code changes (if needed) @MaritvanDijk77

  64. Bots: Pros & Cons + Relatively easy to install +

    Automatic PRs - Manage PRs (merge & deploy) - No code changes (if needed) @MaritvanDijk77

  65. Error-prone • Static analysis tool for Java that catches common

    programming mistakes at compile-time. • Maven, Gradle, etc. • Bug patterns: https://errorprone.info/bugpatterns • Report or fix • Custom checks • Refaster: refactor code using before-and-after templates @MaritvanDijk77 https://errorprone.info/

  66. Error-prone @MaritvanDijk77 https://www.youtube.com/watch?v=NPuLeoIzIR0

  67. OpenRewrite • Source code refactoring for framework migrations, vulnerability patches,

    and API migrations with an early focus on the Java language • Maven & Gradle • Existing recipes (e.g. Java 8 -> 11, JUnit 4 -> 5) • Can author recipes @MaritvanDijk77 https://docs.openrewrite.org/

  68. Conclusion • (Re)evaluate dependencies carefully • Automate checks & updates

    • Stay safe! @MaritvanDijk77

  69. Slides https://maritvandijk.com/presentations/keep-your-dependencies-in-check/ @MaritvanDijk77