Keep your dependencies in check (Devoxx PL)

Slide 1

Slide 1 text

@MaritvanDijk77 #DevoxxPL Keep your dependencies in check Marit van Dijk JetBrains Platinum Sponsors

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

Dec. 2021

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

March 2022

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

Do we need this dependency? https://maritvandijk.com/selecting-dependencies/

Slide 16

Slide 16 text

Selecting dependencies

Slide 17

Slide 17 text

https://www.sonatype.com/resources/log4j-vulnerability-resource-center

Slide 18

Slide 18 text

No dependencies Maintain dependencies

Slide 19

Slide 19 text

Maven • Overview of dependencies: `mvn dependency:tree`

Slide 20

Slide 20 text

Maven • Check for updates: `mvn versions:display-dependency-updates`

Slide 21

Slide 21 text

Maven • Check for updates: `mvn versions:display-dependency-updates`

Slide 22

Slide 22 text

Maven • Analyze dependencies: `mvn dependency:analyze`

Slide 23

Slide 23 text

Gradle • Overview of dependencies: `./gradlew dependencies`

Slide 24

Slide 24 text

Gradle • Check for updates: • Add plugin, e.g. gradle-versions-plugin • Run `./gradlew dependencyUpdates` https://github.com/ben-manes/gradle-versions-plugin

Slide 25

Slide 25 text

Gradle • Analyze dependencies • Add plugin (e.g. nebula) https://github.com/nebula-plugins/gradle-lint-plugin/wiki/Unused-Dependency-Rule

Slide 26

Slide 26 text

Gradle • Analyze dependencies • Add plugin (e.g. nebula) • Run `./gradlew fixGradleLint` https://github.com/nebula-plugins/gradle-lint-plugin/wiki/Unused-Dependency-Rule

Slide 27

Slide 27 text

IntelliJ IDEA: View Dependencies

Slide 28

Slide 28 text

IntelliJ IDEA: View Dependencies

Slide 29

Slide 29 text

IntelliJ IDEA: View Dependencies

Slide 30

Slide 30 text

IntelliJ IDEA: View Dependencies https://www.jetbrains.com/help/idea/maven-projects-tool-window.html

Slide 31

Slide 31 text

IntelliJ IDEA: View Dependencies https://www.jetbrains.com/help/idea/jetgradle-tool-window.html

Slide 32

Slide 32 text

IntelliJ IDEA: Dependency Analyzer https://www.jetbrains.com/help/idea/work-with-maven-dependencies.html#dependency_analyzer

Slide 33

Slide 33 text

IntelliJ IDEA: Dependency Analyzer https://www.jetbrains.com/help/idea/work-with-maven-dependencies.html#dependency_analyzer

Slide 34

Slide 34 text

IntelliJ IDEA: Dependency Analyzer https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

Slide 35

Slide 35 text

IntelliJ IDEA: Dependency Analyzer https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

Slide 36

Slide 36 text

IntelliJ IDEA: Dependency Analyzer https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

Slide 37

Slide 37 text

IntelliJ IDEA: Dependency Analyzer https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

Slide 38

Slide 38 text

IntelliJ IDEA • Add dependency

Slide 39

Slide 39 text

IntelliJ IDEA • Add dependency

Slide 40

Slide 40 text

IntelliJ IDEA • Add dependency

Slide 41

Slide 41 text

IntelliJ IDEA: Package Search https://www.jetbrains.com/help/idea/package-search.html

Slide 42

Slide 42 text

IntelliJ IDEA • Package Search tool window https://www.jetbrains.com/help/idea/package-search.html

Slide 43

Slide 43 text

IntelliJ IDEA: Update dependencies • Hover https://www.jetbrains.com/help/idea/package-analysis.html

Slide 44

Slide 44 text

IntelliJ IDEA: Update dependencies • Context Actions (⌥ ⏎ or Alt+Enter)

Slide 45

Slide 45 text

IntelliJ IDEA https://www.jetbrains.com/help/idea/package-analysis.html • Vulnerable Dependencies tab in Problems window

Slide 46

Slide 46 text

IntelliJ IDEA • Vulnerable API Usage https://www.jetbrains.com/help/idea/package-analysis.html#find-vulnerable-api

Slide 47

Slide 47 text

IntelliJ IDEA • Vulnerable API Usage https://www.jetbrains.com/help/idea/package-analysis.html#find-vulnerable-api

Slide 48

Slide 48 text

IntelliJ IDEA • Vulnerable API Usage https://www.jetbrains.com/help/idea/package-analysis.html#find-vulnerable-api

Slide 49

Slide 49 text

IntelliJ IDEA • Vulnerable API Usage https://www.jetbrains.com/help/idea/package-analysis.html#find-vulnerable-api

Slide 50

Slide 50 text

IntelliJ IDEA • Vulnerable API Usage • Context Actions (⌥ ⏎ or Alt+Enter) https://www.jetbrains.com/help/idea/package-analysis.html#find-vulnerable-api

Slide 51

Slide 51 text

Pros & Cons + Check dependencies while working on the project - Check out each individual project - Apply & verify updates

Slide 52

Slide 52 text

Software Composition Analysis (SCA) • Scan all repos (and containers) • Overview

Slide 53

Slide 53 text

JetBrains Qodana https://www.jetbrains.com/qodana/

Slide 54

Slide 54 text

SCA: Pros & Cons + No need to check out repos individually - I have to check the dashboard - Apply & verify updates

Slide 55

Slide 55 text

Bots • Dependabot • Renovate • Snyk Open Source

Slide 56

Slide 56 text

Dependabot • GitHub native • Features: • Alerts • Auto-triage rules (preset & custom) • Security updates • Version updates https://docs.github.com/en/code-security/dependabot

Slide 57

Slide 57 text

Dependabot version updates • Add dependabot.yml • Specify: • Package manager & location of manifest file • Schedule interval (daily, weekly, or monthly) • Optional: • Max. number of PR's (default 5) • Rebase strategy • Etc https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates

Slide 58

Slide 58 text

Renovate • Available via GitHub App • Features: • Security updates • Version updates • Replace deprecated dependencies with community suggested dependencies • Project dashboard https://docs.renovatebot.com/

Slide 59

Slide 59 text

Renovate configuration • All repos or selected repos • Config file is created for you • Scheduling • Max. number of PR's / concurrent branches • Rule based auto merge • More options & more fine-grained https://docs.renovatebot.com/configuration-options/

Slide 60

Slide 60 text

Renovate: Supported platforms • GitHub (.com and Enterprise Server) • GitLab (.com and CE/EE) • Bitbucket Cloud • Bitbucket Server • Azure DevOps • AWS CodeCommit • Gitea and Forgejo • Gerrit (experimental) https://docs.renovatebot.com/#supported-platforms

Slide 61

Slide 61 text

Snyk Open Source • Available via Snyk • Features: • Security updates • Version updates • Dashboards • Test for new vulnerabilities (on PRs) • Test for vulnerabilities in source code https://snyk.io/

Slide 62

Slide 62 text

Snyk Open Source Configuration • Frequency (daily, weekly, never) • Enable/disable: New and/or known vulnerabilities • Enable/disable PR's for single project https://docs.snyk.io/products/snyk-open-source/open-source-basics

Slide 63

Slide 63 text

Snyk Open Source: Supported Platforms • GitHub Cloud App • GitHub Enterprise • GitHub • GitHub Read-only projects • GitLab • Bitbucket Cloud • Bitbucket Cloud (Legacy) • Bitbucket Cloud App • Bitbucket Data Center/Server • Azure Repositories (TFS) https://docs.snyk.io/integrations/git-repository-scm-integrations

Slide 64

Slide 64 text

Bots • Dependabot • Renovate • Snyk Open Source

Slide 65

Slide 65 text

Bots: Pros & Cons + Relatively easy to install + Automatic PR's - Can create "noise" - Manage PRs (merge & deploy) - Do NOT update your code (if needed)

Slide 66

Slide 66 text

Migration tools

Slide 67

Slide 67 text

IntelliJ IDEA • Refactor > Migrate Packages and Classes https://www.jetbrains.com/help/idea/migrate.html

Slide 68

Slide 68 text

IntelliJ IDEA • Refactor > Migrate Packages and Classes > • Java EE to Jakarta EE • JUnit (4.x -> 5.0) • JavaFX (8 -> 9) https://www.jetbrains.com/help/idea/migrate.html

Slide 69

Slide 69 text

IntelliJ IDEA • Create New Migration

Slide 70

Slide 70 text

IntelliJ IDEA • Create New Migration

Slide 71

Slide 71 text

Error Prone • Static analysis tool for Java to catch common programming mistakes at compile-time. • Maven, Gradle, Bazel, Ant • IntelliJ IDEA / Eclipse plugin, Command line • Bug patterns • Report or fix • Custom checks • Includes Refaster: refactor code using before-and-after templates https://errorprone.info/

Slide 72

Slide 72 text

Error Prone https://errorprone.info/bugpatterns

Slide 73

Slide 73 text

OpenRewrite • Source code refactoring for framework/API migrations, vulnerability patches, and static code analysis fixes • Java, Kotlin & Groovy support • Run using Maven/Gradle plugin • or from a yaml file https://docs.openrewrite.org/

Slide 74

Slide 74 text

OpenRewrite • Existing recipes • Upgrade versions • Migrate libraries • Fix static analysis issues https://docs.openrewrite.org/running-recipes/popular-recipe-guides

Slide 75

Slide 75 text

OpenRewrite • Existing recipes • Find by topic https://docs.openrewrite.org/reference/recipes

Slide 76

Slide 76 text

OpenRewrite • Existing recipes • Can author your own recipes https://docs.openrewrite.org/

Slide 77

Slide 77 text

OpenRewrite support in IntelliJ IDEA https://www.jetbrains.com/help/idea/openrewrite.html

Slide 78

Slide 78 text

OpenRewrite support in IntelliJ IDEA • From Project tool window • New (⌘N or Alt+Insert) https://www.jetbrains.com/help/idea/openrewrite.html

Slide 79

Slide 79 text

OpenRewrite support in IntelliJ IDEA • For example: https://www.jetbrains.com/help/idea/openrewrite.html

Slide 80

Slide 80 text

OpenRewrite support in IntelliJ IDEA https://www.jetbrains.com/help/idea/openrewrite.html

Slide 81

Slide 81 text

OpenRewrite support in IntelliJ IDEA

Slide 82

Slide 82 text

OpenRewrite support in IntelliJ IDEA

Slide 83

Slide 83 text

OpenRewrite support in IntelliJ IDEA

Slide 84

Slide 84 text

Conclusion •(Re)evaluate dependencies carefully •Use the tools you have! •Automate checks & updates as much as possible •Stay safe!

Slide 85

Slide 85 text

Slides & More https://maritvandijk.com/presentations/keep-your-dependencies-in-check/