Tweet
Tweet

Slide 1

Slide 1 text

Keep your dependencies in check Jozi-JUG - September 26st, 2022 https://maritvandijk.com/ @MaritvanDijk77

Slide 2

Slide 2 text

@MaritvanDijk77

Slide 3

Slide 3 text

@MaritvanDijk77

Slide 4

Slide 4 text

@MaritvanDijk77

Slide 5

Slide 5 text

@MaritvanDijk77

Slide 6

Slide 6 text

Dec. 2021 @MaritvanDijk77

Slide 7

Slide 7 text

@MaritvanDijk77

Slide 8

Slide 8 text

@MaritvanDijk77

Slide 9

Slide 9 text

@MaritvanDijk77

Slide 10

Slide 10 text

March 2022 @MaritvanDijk77

Slide 11

Slide 11 text

@MaritvanDijk77

Slide 12

Slide 12 text

@MaritvanDijk77

Slide 13

Slide 13 text

@MaritvanDijk77

Slide 14

Slide 14 text

@MaritvanDijk77

Slide 15

Slide 15 text

@MaritvanDijk77 Do we need this dependency?

Slide 16

Slide 16 text

Selecting dependencies @MaritvanDijk77

Slide 17

Slide 17 text

Selecting dependencies @MaritvanDijk77

Slide 18

Slide 18 text

@MaritvanDijk77 https://xkcd.com/2347/

Slide 19

Slide 19 text

Selecting dependencies @MaritvanDijk77

Slide 20

Slide 20 text

Selecting dependencies @MaritvanDijk77

Slide 21

Slide 21 text

Selecting dependencies @MaritvanDijk77

Slide 22

Slide 22 text

Dependency information @MaritvanDijk77 https://mvnrepository.com/

Slide 23

Slide 23 text

Dependency information @MaritvanDijk77 https://mvnrepository.com/ Link to https://cve.mitre.org/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36518

Slide 24

Slide 24 text

Dependency information @MaritvanDijk77 https://github.com/

Slide 25

Slide 25 text

Dependency information @MaritvanDijk77 https://package-search.jetbrains.com/

Slide 26

Slide 26 text

Dependency information @MaritvanDijk77 https://package-search.jetbrains.com/

Slide 27

Slide 27 text

No dependencies @MaritvanDijk77 Maintain dependencies

Slide 28

Slide 28 text

Maven • Overview of dependencies: `mvn dependency:tree` @MaritvanDijk77

Slide 29

Slide 29 text

Maven • Check for updates: `mvn versions:display-dependency-updates` @MaritvanDijk77

Slide 30

Slide 30 text

Maven • Analyse dependencies: `mvn dependency:analyze` @MaritvanDijk77

Slide 31

Slide 31 text

Gradle • Overview of dependencies: `./gradlew dependencies` @MaritvanDijk77

Slide 32

Slide 32 text

Gradle • Add plugin, e.g. gradle-versions-plugin • Run `./gradlew dependencyUpdates` @MaritvanDijk77

Slide 33

Slide 33 text

IntelliJ IDEA: Community Edition • Alt + Enter @MaritvanDijk77

Slide 34

Slide 34 text

IntelliJ IDEA: Community Edition • Alt + Enter @MaritvanDijk77

Slide 35

Slide 35 text

IntelliJ IDEA: Ultimate Edition @MaritvanDijk77

Slide 36

Slide 36 text

Downsides - Check out each individual project - Apply & verify updates @MaritvanDijk77

Slide 37

Slide 37 text

Software Composition Analysis (SCA) • Scan all repos • Overview @MaritvanDijk77

Slide 38

Slide 38 text

SCA: Pros & Cons + No need to check out repos individually - I have to check the dashboard @MaritvanDijk77

Slide 39

Slide 39 text

@MaritvanDijk77 Bots • Dependabot • Renovate • Snyk Open Source

Slide 40

Slide 40 text

Dependabot • GitHub native • Includes: • Dependabot alerts • Dependabot security updates • Dependabot version updates @MaritvanDijk77

Slide 41

Slide 41 text

Dependabot enable @MaritvanDijk77

Slide 42

Slide 42 text

Dependabot alerts @MaritvanDijk77

Slide 43

Slide 43 text

Dependabot security updates @MaritvanDijk77

Slide 44

Slide 44 text

Dependabot version updates • Add dependabot.yml (impacts security updates) • Package manager & directory manifest file • Frequency (daily, weekly, or monthly) • Schedule (date, time, timezone) • Max. number of PR's (default 5) • Some details to manage PR's @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

Slide 45

Slide 45 text

Renovate • By Mend • Available via GitHub App @MaritvanDijk77

Slide 46

Slide 46 text

Renovate enable @MaritvanDijk77 https://github.com/apps/renovate

Slide 47

Slide 47 text

Renovate enable @MaritvanDijk77

Slide 48

Slide 48 text

Renovate enable @MaritvanDijk77

Slide 49

Slide 49 text

Renovate configuration • All repos or selected repos • Config file is created for you • Limit concurrent branches / PRs, hourly limit • More options • More fine-grained @MaritvanDijk77 https://docs.renovatebot.com/configuration-options/

Slide 50

Slide 50 text

Renovate PR @MaritvanDijk77 https://docs.renovatebot.com/merge-confidence/

Slide 51

Slide 51 text

Renovate Dashboard @MaritvanDijk77

Slide 52

Slide 52 text

Snyk • Products: • Snyk Open Source • Snyk Code • Snyk Container • Snyk Infrastructure as Code • Snyk Cloud @MaritvanDijk77 https://snyk.io/

Slide 53

Slide 53 text

Snyk enable @MaritvanDijk77 https://snyk.io/

Slide 54

Slide 54 text

Snyk enable @MaritvanDijk77

Slide 55

Slide 55 text

Snyk enable @MaritvanDijk77

Slide 56

Slide 56 text

Snyk enable @MaritvanDijk77

Slide 57

Slide 57 text

Snyk PR @MaritvanDijk77

Slide 58

Slide 58 text

Snyk PR @MaritvanDijk77

Slide 59

Slide 59 text

Snyk PR Check @MaritvanDijk77

Slide 60

Slide 60 text

Snyk dashboard @MaritvanDijk77

Slide 61

Slide 61 text

Snyk dashboard @MaritvanDijk77

Slide 62

Slide 62 text

Snyk Open Source Configuration • Frequency (daily, weekly, never) • Enable/disable: New and/or known vulnerabilities • Enable/disable PRs for single project @MaritvanDijk77 https://docs.snyk.io/products/snyk-open-source/open-source-basics

Slide 63

Slide 63 text

Bots: Pros & Cons + Relatively easy to install + Automatic PRs - Manage PRs (merge & deploy) - No code changes (if needed) @MaritvanDijk77

Slide 64

Slide 64 text

Bots: Pros & Cons + Relatively easy to install + Automatic PRs - Manage PRs (merge & deploy) - No code changes (if needed) @MaritvanDijk77

Slide 65

Slide 65 text

Error-prone • Static analysis tool for Java that catches common programming mistakes at compile-time. • Maven, Gradle, etc. • Bug patterns: https://errorprone.info/bugpatterns • Report or fix • Custom checks • Refaster: refactor code using before-and-after templates @MaritvanDijk77 https://errorprone.info/

Slide 66

Slide 66 text

Error-prone @MaritvanDijk77 https://www.youtube.com/watch?v=NPuLeoIzIR0

Slide 67

Slide 67 text

OpenRewrite • Source code refactoring for framework migrations, vulnerability patches, and API migrations with an early focus on the Java language • Maven & Gradle • Existing recipes (e.g. Java 8 -> 11, JUnit 4 -> 5) • Can author recipes @MaritvanDijk77 https://docs.openrewrite.org/

Slide 68

Slide 68 text

Conclusion • (Re)evaluate dependencies carefully • Automate checks & updates • Stay safe! @MaritvanDijk77

Slide 69

Slide 69 text

Slides https://maritvandijk.com/presentations/keep-your-dependencies-in-check/ @MaritvanDijk77