Slide 1
Slide 1 text
Keep your dependencies in check
GOTO Copenhagen - Oct 2, 2023
https://maritvandijk.com/ @MaritvanDijk77
Slide 2
Slide 2 text
@MaritvanDijk77
Slide 3
Slide 3 text
@MaritvanDijk77
Slide 4
Slide 4 text
@MaritvanDijk77
Slide 5
Slide 5 text
@MaritvanDijk77
Slide 6
Slide 6 text
Dec. 2021
@MaritvanDijk77
Slide 7
Slide 7 text
@MaritvanDijk77
Slide 8
Slide 8 text
@MaritvanDijk77
Slide 9
Slide 9 text
@MaritvanDijk77
Slide 10
Slide 10 text
March 2022
@MaritvanDijk77
Slide 11
Slide 11 text
@MaritvanDijk77
Slide 12
Slide 12 text
@MaritvanDijk77
Slide 13
Slide 13 text
@MaritvanDijk77
Slide 14
Slide 14 text
@MaritvanDijk77
Slide 15
Slide 15 text
@MaritvanDijk77
Do we
need
this
dependency?
Slide 16
Slide 16 text
Selecting dependencies
@MaritvanDijk77
Slide 17
Slide 17 text
Selecting dependencies
@MaritvanDijk77
Slide 18
Slide 18 text
@MaritvanDijk77
https://xkcd.com/2347/
Slide 19
Slide 19 text
Selecting dependencies
@MaritvanDijk77
Slide 20
Slide 20 text
Selecting dependencies
@MaritvanDijk77
Slide 21
Slide 21 text
Selecting dependencies @MaritvanDijk77
Slide 22
Slide 22 text
Selecting dependencies
@MaritvanDijk77
Slide 23
Slide 23 text
@MaritvanDijk77
https://www.sonatype.com/resources/log4j-vulnerability-resource-center
Slide 24
Slide 24 text
@MaritvanDijk77
Find information
Slide 25
Slide 25 text
Dependency information
@MaritvanDijk77
https://search.maven.org/
Slide 26
Slide 26 text
Dependency information
@MaritvanDijk77
https://central.sonatype.com/
Slide 27
Slide 27 text
Dependency information
@MaritvanDijk77
https://central.sonatype.com/
Slide 28
Slide 28 text
Dependency information
@MaritvanDijk77
https://search.maven.org/artifact/com.fasterxml.jackson.core/jackson-databind/2.15.2/jar
Slide 29
Slide 29 text
Dependency information
@MaritvanDijk77
https://central.sonatype.com/artifact/com.fasterxml.jackson.core/jackson-databind
Slide 30
Slide 30 text
Dependency information
@MaritvanDijk77
Slide 31
Slide 31 text
Dependency information
@MaritvanDijk77
Slide 32
Slide 32 text
Dependency information
@MaritvanDijk77
https://package-search.jetbrains.com/
Slide 33
Slide 33 text
Dependency information
@MaritvanDijk77
https://package-search.jetbrains.com/
Slide 34
Slide 34 text
Dependency information
@MaritvanDijk77
https://package-search.jetbrains.com/
Slide 35
Slide 35 text
Dependency information
@MaritvanDijk77
https://github.com/
Slide 36
Slide 36 text
Dependency information
@MaritvanDijk77
https://github.com/
Slide 37
Slide 37 text
Dependency information
@MaritvanDijk77
https://github.com/
Slide 38
Slide 38 text
@MaritvanDijk77
https://maritvandijk.com/presentations/collaborating-on-open-source-software/
Slide 39
Slide 39 text
No dependencies
@MaritvanDijk77
Maintain dependencies
Slide 40
Slide 40 text
Maven
• Overview of dependencies: `mvn dependency:tree`
@MaritvanDijk77
Slide 41
Slide 41 text
Maven
• Check for updates: `mvn versions:display-dependency-updates`
@MaritvanDijk77
Slide 42
Slide 42 text
Maven
• Check for updates: `mvn versions:display-dependency-updates`
@MaritvanDijk77
Slide 43
Slide 43 text
Maven
• Analyze dependencies: `mvn dependency:analyze`
@MaritvanDijk77
Slide 44
Slide 44 text
Gradle
• Overview of dependencies: `./gradlew dependencies`
@MaritvanDijk77
Slide 45
Slide 45 text
Gradle
• Check for updates:
• Add plugin, e.g. gradle-versions-plugin
• Run `./gradlew dependencyUpdates`
@MaritvanDijk77
https://github.com/ben-manes/gradle-versions-plugin
Slide 46
Slide 46 text
Gradle
• Analyze dependencies
• Add plugin (e.g. nebula)
@MaritvanDijk77
https://github.com/nebula-plugins/gradle-lint-plugin/wiki/Unused-Dependency-Rule
Slide 47
Slide 47 text
Gradle
• Analyze dependencies
• Add plugin (e.g. nebula)
• Run `./gradlew fixGradleLint`
@MaritvanDijk77
https://github.com/nebula-plugins/gradle-lint-plugin/wiki/Unused-Dependency-Rule
Slide 48
Slide 48 text
IntelliJ IDEA: View Dependencies
@MaritvanDijk77
Slide 49
Slide 49 text
IntelliJ IDEA: View Dependencies
@MaritvanDijk77
Slide 50
Slide 50 text
IntelliJ IDEA: View Dependencies
@MaritvanDijk77
Slide 51
Slide 51 text
IntelliJ IDEA: View Dependencies
@MaritvanDijk77
https://www.jetbrains.com/help/idea/maven-projects-tool-window.html
Slide 52
Slide 52 text
IntelliJ IDEA: View Dependencies
@MaritvanDijk77
https://www.jetbrains.com/help/idea/jetgradle-tool-window.html
Slide 53
Slide 53 text
IntelliJ IDEA: Dependency Analyzer
@MaritvanDijk77
https://www.jetbrains.com/help/idea/work-with-maven-dependencies.html#dependency_analyzer
Slide 54
Slide 54 text
IntelliJ IDEA: Dependency Analyzer
@MaritvanDijk77
https://www.jetbrains.com/help/idea/work-with-maven-dependencies.html#dependency_analyzer
Slide 55
Slide 55 text
IntelliJ IDEA: Dependency Analyzer
@MaritvanDijk77
https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer
Slide 56
Slide 56 text
IntelliJ IDEA: Dependency Analyzer
@MaritvanDijk77
https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer
Slide 57
Slide 57 text
IntelliJ IDEA: Dependency Analyzer
@MaritvanDijk77
https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer
Slide 58
Slide 58 text
IntelliJ IDEA: Dependency Analyzer
@MaritvanDijk77
https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer
Slide 59
Slide 59 text
IntelliJ IDEA
• Package Search: Add dependency
@MaritvanDijk77
https://www.jetbrains.com/help/idea/package-search.html
Slide 60
Slide 60 text
IntelliJ IDEA
• Package Search: Add dependency
@MaritvanDijk77
https://www.jetbrains.com/help/idea/package-search.html
Slide 61
Slide 61 text
IntelliJ IDEA: Update dependencies
• Context Actions (⌥ ⏎ or Alt+Enter)
@MaritvanDijk77
Slide 62
Slide 62 text
IntelliJ IDEA: Update dependencies
• Hover
@MaritvanDijk77
https://www.jetbrains.com/help/idea/package-analysis.html
Slide 63
Slide 63 text
IntelliJ IDEA
• Dependencies tool window
@MaritvanDijk77
https://www.jetbrains.com/help/idea/package-search.html
Slide 64
Slide 64 text
IntelliJ IDEA
• Dependencies tool window (search)
@MaritvanDijk77
https://www.jetbrains.com/help/idea/package-search.html
Slide 65
Slide 65 text
IntelliJ IDEA
https://www.jetbrains.com/help/idea/package-analysis.html @MaritvanDijk77
Slide 66
Slide 66 text
IntelliJ IDEA
@MaritvanDijk77
https://www.youtube.com/@intellijidea
Slide 67
Slide 67 text
Pros & Cons
+ Check dependencies while working on the project
- Check out each individual project
- Apply & verify updates
@MaritvanDijk77
Slide 68
Slide 68 text
Software Composition Analysis (SCA)
• Scan all repos (and containers)
• Overview
@MaritvanDijk77
Slide 69
Slide 69 text
SCA: Pros & Cons
+ No need to check out repos individually
- I have to check the dashboard
- Apply & verify updates
@MaritvanDijk77
Slide 70
Slide 70 text
@MaritvanDijk77
Bots
• Dependabot
• Renovate
• Snyk Open Source
Slide 71
Slide 71 text
Dependabot
• GitHub native
• Features:
• Alerts
• Security updates
• Version updates
@MaritvanDijk77
Slide 72
Slide 72 text
Dependabot enable
@MaritvanDijk77
Slide 73
Slide 73 text
Dependabot alerts
@MaritvanDijk77
https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts
Slide 74
Slide 74 text
Dependabot alerts
@MaritvanDijk77
https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts
Slide 75
Slide 75 text
Dependabot alerts
@MaritvanDijk77
https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts
Slide 76
Slide 76 text
Dependabot security updates
@MaritvanDijk77
https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates
Slide 77
Slide 77 text
Dependabot security updates
@MaritvanDijk77
https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates
Slide 78
Slide 78 text
Dependabot version updates
• Add dependabot.yml
• Specify:
• Package manager & location of manifest file
• Schedule interval (daily, weekly, or monthly)
• Optional:
• Max. number of PR's (default 5)
• Rebase strategy
• Etc
@MaritvanDijk77
https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates
Slide 79
Slide 79 text
Dependabot: Supported platforms
• GitHub native
• Can run on GitLab too
@MaritvanDijk77
Slide 80
Slide 80 text
Renovate
• Available via GitHub App
• Features:
• Security updates
• Version updates
• Project dashboard
@MaritvanDijk77
Slide 81
Slide 81 text
Renovate enable
@MaritvanDijk77
https://github.com/apps/renovate
Slide 82
Slide 82 text
Renovate enable - 3
@MaritvanDijk77
Slide 83
Slide 83 text
Renovate onboarding PR
@MaritvanDijk77
Slide 84
Slide 84 text
Renovate configuration
• All repos or selected repos
• Config file is created for you
• Scheduling
• Max. number of PR's / concurrent branches
• Rule based auto merge
• More options & more fine-grained
@MaritvanDijk77
https://docs.renovatebot.com/configuration-options/
Slide 85
Slide 85 text
Renovate PR
@MaritvanDijk77
https://docs.renovatebot.com/merge-confidence/
Slide 86
Slide 86 text
Renovate Dashboard: Project
@MaritvanDijk77
Slide 87
Slide 87 text
Renovate Dashboard: Jobs
@MaritvanDijk77
Slide 88
Slide 88 text
Renovate: Supported platforms
• GitHub (.com and Enterprise Server)
• GitLab (.com and CE/EE)
• Bitbucket Cloud
• Bitbucket Server
• Azure DevOps
• AWS CodeCommit
• Gitea
@MaritvanDijk77
https://docs.renovatebot.com/#supported-platforms
Slide 89
Slide 89 text
Snyk Open Source
• Available via Snyk
• Features:
• Security updates
• Version updates
• Test for new vulnerabilities (on PRs)
• Test for vulnerabilities in source code
• Dashboards
@MaritvanDijk77
https://snyk.io/
Slide 90
Slide 90 text
Snyk enable
@MaritvanDijk77
https://snyk.io/
Slide 91
Slide 91 text
Snyk enable
@MaritvanDijk77
https://snyk.io/
Slide 92
Slide 92 text
Snyk enable
@MaritvanDijk77
https://snyk.io/
Slide 93
Slide 93 text
Snyk enable
@MaritvanDijk77
https://snyk.io/
Slide 94
Slide 94 text
Snyk enable
@MaritvanDijk77
https://snyk.io/
Slide 95
Slide 95 text
Snyk PR
@MaritvanDijk77
Slide 96
Slide 96 text
Snyk PR
@MaritvanDijk77
Slide 97
Slide 97 text
Snyk PR Check
@MaritvanDijk77
Slide 98
Slide 98 text
Snyk dashboard
@MaritvanDijk77
Slide 99
Slide 99 text
Snyk Open Source Configuration
• Frequency (daily, weekly, never)
• Enable/disable: New and/or known vulnerabilities
• Enable/disable PR's for single project
@MaritvanDijk77
https://docs.snyk.io/products/snyk-open-source/open-source-basics
Slide 100
Slide 100 text
Snyk Open Source: Supported Platforms
• GitHub
• GitHub Enterprise
• GitHub Read-only projects
• Bitbucket Cloud Personal Access Token (Legacy)
• Bitbucket Cloud App
• Bitbucket Data Center/Server
• GitLab
• Azure Repos
@MaritvanDijk77
https://docs.snyk.io/integrations/git-repository-scm-integrations
Slide 101
Slide 101 text
@MaritvanDijk77
Bots
• Dependabot
• Renovate
• Snyk Open Source
Slide 102
Slide 102 text
Bots: Pros & Cons
+ Relatively easy to install
+ Automatic PR's
- Can create "noise"
- Manage PRs (merge & deploy)
- No code changes (if needed)
@MaritvanDijk77
Slide 103
Slide 103 text
Migration tools
@MaritvanDijk77
Slide 104
Slide 104 text
IntelliJ IDEA
• Refactor > Migrate Packages and Classes
@MaritvanDijk77
https://www.jetbrains.com/help/idea/migrate.html
Slide 105
Slide 105 text
IntelliJ IDEA
• Refactor > Migrate Packages and Classes >
• Java EE to Jakarta EE
• JUnit (4.x -> 5.0)
• JavaFX (8 -> 9)
@MaritvanDijk77
https://www.jetbrains.com/help/idea/migrate.html
Slide 106
Slide 106 text
IntelliJ IDEA
• Create New Migration
@MaritvanDijk77
Slide 107
Slide 107 text
IntelliJ IDEA
• Create New Migration
@MaritvanDijk77
Slide 108
Slide 108 text
IntelliJ IDEA
@MaritvanDijk77
https://www.youtube.com/@intellijidea
Slide 109
Slide 109 text
Error Prone
• Static analysis tool for Java to catch common programming mistakes
at compile-time.
• Maven, Gradle, etc.
• IntelliJ IDEA / Eclipse plugin, Command line
• Bug patterns
• Report or fix
• Custom checks
• Includes Refaster: refactor code using before-and-after templates
@MaritvanDijk77
https://errorprone.info/
Slide 110
Slide 110 text
Error Prone
@MaritvanDijk77
https://www.youtube.com/watch?v=NPuLeoIzIR0
Slide 111
Slide 111 text
Error Prone Support
@MaritvanDijk77
https://error-prone.picnic.tech/
Slide 112
Slide 112 text
OpenRewrite
• Source code refactoring for framework/API migrations, vulnerability
patches, and static code analysis fixes
• Java, Kotlin & Groovy support
• Run with Maven or Gradle
• Run without a build tool
• Early support for Python, Typescript, ...
@MaritvanDijk77
https://docs.openrewrite.org/
Slide 113
Slide 113 text
OpenRewrite
• Existing recipes
• Upgrade versions
• Migrate libraries
@MaritvanDijk77
https://docs.openrewrite.org/running-recipes/popular-recipe-guides
Slide 114
Slide 114 text
OpenRewrite
• Existing recipes
• Find by topic
@MaritvanDijk77
https://docs.openrewrite.org/reference/recipes
Slide 115
Slide 115 text
OpenRewrite
• Existing recipes
• Can author your own recipes
@MaritvanDijk77
https://docs.openrewrite.org/
Slide 116
Slide 116 text
OpenRewrite
@MaritvanDijk77
https://www.youtube.com/watch?v=jOFfCAleUI8
Slide 117
Slide 117 text
Conclusion
•(Re)evaluate dependencies carefully
•Automate checks & updates
•Stay safe!
@MaritvanDijk77
Slide 118
Slide 118 text
Slides & More
https://maritvandijk.com/presentations/keep-your-dependencies-in-check/
@MaritvanDijk77