Slide 1

Slide 1 text

Keep your dependencies in check GOTO Copenhagen - Oct 2, 2023 https://maritvandijk.com/ @MaritvanDijk77

Slide 2

Slide 2 text

@MaritvanDijk77

Slide 3

Slide 3 text

@MaritvanDijk77

Slide 4

Slide 4 text

@MaritvanDijk77

Slide 5

Slide 5 text

@MaritvanDijk77

Slide 6

Slide 6 text

Dec. 2021 @MaritvanDijk77

Slide 7

Slide 7 text

@MaritvanDijk77

Slide 8

Slide 8 text

@MaritvanDijk77

Slide 9

Slide 9 text

@MaritvanDijk77

Slide 10

Slide 10 text

March 2022 @MaritvanDijk77

Slide 11

Slide 11 text

@MaritvanDijk77

Slide 12

Slide 12 text

@MaritvanDijk77

Slide 13

Slide 13 text

@MaritvanDijk77

Slide 14

Slide 14 text

@MaritvanDijk77

Slide 15

Slide 15 text

@MaritvanDijk77 Do we need this dependency?

Slide 16

Slide 16 text

Selecting dependencies @MaritvanDijk77

Slide 17

Slide 17 text

Selecting dependencies @MaritvanDijk77

Slide 18

Slide 18 text

@MaritvanDijk77 https://xkcd.com/2347/

Slide 19

Slide 19 text

Selecting dependencies @MaritvanDijk77

Slide 20

Slide 20 text

Selecting dependencies @MaritvanDijk77

Slide 21

Slide 21 text

Selecting dependencies @MaritvanDijk77

Slide 22

Slide 22 text

Selecting dependencies @MaritvanDijk77

Slide 23

Slide 23 text

@MaritvanDijk77 https://www.sonatype.com/resources/log4j-vulnerability-resource-center

Slide 24

Slide 24 text

@MaritvanDijk77 Find information

Slide 25

Slide 25 text

Dependency information @MaritvanDijk77 https://search.maven.org/

Slide 26

Slide 26 text

Dependency information @MaritvanDijk77 https://central.sonatype.com/

Slide 27

Slide 27 text

Dependency information @MaritvanDijk77 https://central.sonatype.com/

Slide 28

Slide 28 text

Dependency information @MaritvanDijk77 https://search.maven.org/artifact/com.fasterxml.jackson.core/jackson-databind/2.15.2/jar

Slide 29

Slide 29 text

Dependency information @MaritvanDijk77 https://central.sonatype.com/artifact/com.fasterxml.jackson.core/jackson-databind

Slide 30

Slide 30 text

Dependency information @MaritvanDijk77

Slide 31

Slide 31 text

Dependency information @MaritvanDijk77

Slide 32

Slide 32 text

Dependency information @MaritvanDijk77 https://package-search.jetbrains.com/

Slide 33

Slide 33 text

Dependency information @MaritvanDijk77 https://package-search.jetbrains.com/

Slide 34

Slide 34 text

Dependency information @MaritvanDijk77 https://package-search.jetbrains.com/

Slide 35

Slide 35 text

Dependency information @MaritvanDijk77 https://github.com/

Slide 36

Slide 36 text

Dependency information @MaritvanDijk77 https://github.com/

Slide 37

Slide 37 text

Dependency information @MaritvanDijk77 https://github.com/

Slide 38

Slide 38 text

@MaritvanDijk77 https://maritvandijk.com/presentations/collaborating-on-open-source-software/

Slide 39

Slide 39 text

No dependencies @MaritvanDijk77 Maintain dependencies

Slide 40

Slide 40 text

Maven • Overview of dependencies: `mvn dependency:tree` @MaritvanDijk77

Slide 41

Slide 41 text

Maven • Check for updates: `mvn versions:display-dependency-updates` @MaritvanDijk77

Slide 42

Slide 42 text

Maven • Check for updates: `mvn versions:display-dependency-updates` @MaritvanDijk77

Slide 43

Slide 43 text

Maven • Analyze dependencies: `mvn dependency:analyze` @MaritvanDijk77

Slide 44

Slide 44 text

Gradle • Overview of dependencies: `./gradlew dependencies` @MaritvanDijk77

Slide 45

Slide 45 text

Gradle • Check for updates: • Add plugin, e.g. gradle-versions-plugin • Run `./gradlew dependencyUpdates` @MaritvanDijk77 https://github.com/ben-manes/gradle-versions-plugin

Slide 46

Slide 46 text

Gradle • Analyze dependencies • Add plugin (e.g. nebula) @MaritvanDijk77 https://github.com/nebula-plugins/gradle-lint-plugin/wiki/Unused-Dependency-Rule

Slide 47

Slide 47 text

Gradle • Analyze dependencies • Add plugin (e.g. nebula) • Run `./gradlew fixGradleLint` @MaritvanDijk77 https://github.com/nebula-plugins/gradle-lint-plugin/wiki/Unused-Dependency-Rule

Slide 48

Slide 48 text

IntelliJ IDEA: View Dependencies @MaritvanDijk77

Slide 49

Slide 49 text

IntelliJ IDEA: View Dependencies @MaritvanDijk77

Slide 50

Slide 50 text

IntelliJ IDEA: View Dependencies @MaritvanDijk77

Slide 51

Slide 51 text

IntelliJ IDEA: View Dependencies @MaritvanDijk77 https://www.jetbrains.com/help/idea/maven-projects-tool-window.html

Slide 52

Slide 52 text

IntelliJ IDEA: View Dependencies @MaritvanDijk77 https://www.jetbrains.com/help/idea/jetgradle-tool-window.html

Slide 53

Slide 53 text

IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-maven-dependencies.html#dependency_analyzer

Slide 54

Slide 54 text

IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-maven-dependencies.html#dependency_analyzer

Slide 55

Slide 55 text

IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

Slide 56

Slide 56 text

IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

Slide 57

Slide 57 text

IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

Slide 58

Slide 58 text

IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

Slide 59

Slide 59 text

IntelliJ IDEA • Package Search: Add dependency @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

Slide 60

Slide 60 text

IntelliJ IDEA • Package Search: Add dependency @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

Slide 61

Slide 61 text

IntelliJ IDEA: Update dependencies • Context Actions (⌥ ⏎ or Alt+Enter) @MaritvanDijk77

Slide 62

Slide 62 text

IntelliJ IDEA: Update dependencies • Hover @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-analysis.html

Slide 63

Slide 63 text

IntelliJ IDEA • Dependencies tool window @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

Slide 64

Slide 64 text

IntelliJ IDEA • Dependencies tool window (search) @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

Slide 65

Slide 65 text

IntelliJ IDEA https://www.jetbrains.com/help/idea/package-analysis.html @MaritvanDijk77

Slide 66

Slide 66 text

IntelliJ IDEA @MaritvanDijk77 https://www.youtube.com/@intellijidea

Slide 67

Slide 67 text

Pros & Cons + Check dependencies while working on the project - Check out each individual project - Apply & verify updates @MaritvanDijk77

Slide 68

Slide 68 text

Software Composition Analysis (SCA) • Scan all repos (and containers) • Overview @MaritvanDijk77

Slide 69

Slide 69 text

SCA: Pros & Cons + No need to check out repos individually - I have to check the dashboard - Apply & verify updates @MaritvanDijk77

Slide 70

Slide 70 text

@MaritvanDijk77 Bots • Dependabot • Renovate • Snyk Open Source

Slide 71

Slide 71 text

Dependabot • GitHub native • Features: • Alerts • Security updates • Version updates @MaritvanDijk77

Slide 72

Slide 72 text

Dependabot enable @MaritvanDijk77

Slide 73

Slide 73 text

Dependabot alerts @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts

Slide 74

Slide 74 text

Dependabot alerts @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts

Slide 75

Slide 75 text

Dependabot alerts @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts

Slide 76

Slide 76 text

Dependabot security updates @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates

Slide 77

Slide 77 text

Dependabot security updates @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates

Slide 78

Slide 78 text

Dependabot version updates • Add dependabot.yml • Specify: • Package manager & location of manifest file • Schedule interval (daily, weekly, or monthly) • Optional: • Max. number of PR's (default 5) • Rebase strategy • Etc @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates

Slide 79

Slide 79 text

Dependabot: Supported platforms • GitHub native • Can run on GitLab too @MaritvanDijk77

Slide 80

Slide 80 text

Renovate • Available via GitHub App • Features: • Security updates • Version updates • Project dashboard @MaritvanDijk77

Slide 81

Slide 81 text

Renovate enable @MaritvanDijk77 https://github.com/apps/renovate

Slide 82

Slide 82 text

Renovate enable - 3 @MaritvanDijk77

Slide 83

Slide 83 text

Renovate onboarding PR @MaritvanDijk77

Slide 84

Slide 84 text

Renovate configuration • All repos or selected repos • Config file is created for you • Scheduling • Max. number of PR's / concurrent branches • Rule based auto merge • More options & more fine-grained @MaritvanDijk77 https://docs.renovatebot.com/configuration-options/

Slide 85

Slide 85 text

Renovate PR @MaritvanDijk77 https://docs.renovatebot.com/merge-confidence/

Slide 86

Slide 86 text

Renovate Dashboard: Project @MaritvanDijk77

Slide 87

Slide 87 text

Renovate Dashboard: Jobs @MaritvanDijk77

Slide 88

Slide 88 text

Renovate: Supported platforms • GitHub (.com and Enterprise Server) • GitLab (.com and CE/EE) • Bitbucket Cloud • Bitbucket Server • Azure DevOps • AWS CodeCommit • Gitea @MaritvanDijk77 https://docs.renovatebot.com/#supported-platforms

Slide 89

Slide 89 text

Snyk Open Source • Available via Snyk • Features: • Security updates • Version updates • Test for new vulnerabilities (on PRs) • Test for vulnerabilities in source code • Dashboards @MaritvanDijk77 https://snyk.io/

Slide 90

Slide 90 text

Snyk enable @MaritvanDijk77 https://snyk.io/

Slide 91

Slide 91 text

Snyk enable @MaritvanDijk77 https://snyk.io/

Slide 92

Slide 92 text

Snyk enable @MaritvanDijk77 https://snyk.io/

Slide 93

Slide 93 text

Snyk enable @MaritvanDijk77 https://snyk.io/

Slide 94

Slide 94 text

Snyk enable @MaritvanDijk77 https://snyk.io/

Slide 95

Slide 95 text

Snyk PR @MaritvanDijk77

Slide 96

Slide 96 text

Snyk PR @MaritvanDijk77

Slide 97

Slide 97 text

Snyk PR Check @MaritvanDijk77

Slide 98

Slide 98 text

Snyk dashboard @MaritvanDijk77

Slide 99

Slide 99 text

Snyk Open Source Configuration • Frequency (daily, weekly, never) • Enable/disable: New and/or known vulnerabilities • Enable/disable PR's for single project @MaritvanDijk77 https://docs.snyk.io/products/snyk-open-source/open-source-basics

Slide 100

Slide 100 text

Snyk Open Source: Supported Platforms • GitHub • GitHub Enterprise • GitHub Read-only projects • Bitbucket Cloud Personal Access Token (Legacy) • Bitbucket Cloud App • Bitbucket Data Center/Server • GitLab • Azure Repos @MaritvanDijk77 https://docs.snyk.io/integrations/git-repository-scm-integrations

Slide 101

Slide 101 text

@MaritvanDijk77 Bots • Dependabot • Renovate • Snyk Open Source

Slide 102

Slide 102 text

Bots: Pros & Cons + Relatively easy to install + Automatic PR's - Can create "noise" - Manage PRs (merge & deploy) - No code changes (if needed) @MaritvanDijk77

Slide 103

Slide 103 text

Migration tools @MaritvanDijk77

Slide 104

Slide 104 text

IntelliJ IDEA • Refactor > Migrate Packages and Classes @MaritvanDijk77 https://www.jetbrains.com/help/idea/migrate.html

Slide 105

Slide 105 text

IntelliJ IDEA • Refactor > Migrate Packages and Classes > • Java EE to Jakarta EE • JUnit (4.x -> 5.0) • JavaFX (8 -> 9) @MaritvanDijk77 https://www.jetbrains.com/help/idea/migrate.html

Slide 106

Slide 106 text

IntelliJ IDEA • Create New Migration @MaritvanDijk77

Slide 107

Slide 107 text

IntelliJ IDEA • Create New Migration @MaritvanDijk77

Slide 108

Slide 108 text

IntelliJ IDEA @MaritvanDijk77 https://www.youtube.com/@intellijidea

Slide 109

Slide 109 text

Error Prone • Static analysis tool for Java to catch common programming mistakes at compile-time. • Maven, Gradle, etc. • IntelliJ IDEA / Eclipse plugin, Command line • Bug patterns • Report or fix • Custom checks • Includes Refaster: refactor code using before-and-after templates @MaritvanDijk77 https://errorprone.info/

Slide 110

Slide 110 text

Error Prone @MaritvanDijk77 https://www.youtube.com/watch?v=NPuLeoIzIR0

Slide 111

Slide 111 text

Error Prone Support @MaritvanDijk77 https://error-prone.picnic.tech/

Slide 112

Slide 112 text

OpenRewrite • Source code refactoring for framework/API migrations, vulnerability patches, and static code analysis fixes • Java, Kotlin & Groovy support • Run with Maven or Gradle • Run without a build tool • Early support for Python, Typescript, ... @MaritvanDijk77 https://docs.openrewrite.org/

Slide 113

Slide 113 text

OpenRewrite • Existing recipes • Upgrade versions • Migrate libraries @MaritvanDijk77 https://docs.openrewrite.org/running-recipes/popular-recipe-guides

Slide 114

Slide 114 text

OpenRewrite • Existing recipes • Find by topic @MaritvanDijk77 https://docs.openrewrite.org/reference/recipes

Slide 115

Slide 115 text

OpenRewrite • Existing recipes • Can author your own recipes @MaritvanDijk77 https://docs.openrewrite.org/

Slide 116

Slide 116 text

OpenRewrite @MaritvanDijk77 https://www.youtube.com/watch?v=jOFfCAleUI8

Slide 117

Slide 117 text

Conclusion •(Re)evaluate dependencies carefully •Automate checks & updates •Stay safe! @MaritvanDijk77

Slide 118

Slide 118 text

Slides & More https://maritvandijk.com/presentations/keep-your-dependencies-in-check/ @MaritvanDijk77