Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep your dependencies in check

Marit van Dijk
June 27, 2024
0
15

Keep your dependencies in check

If Log4Shell, Spring4Shell, etc. have taught us anything, it’s that we need to keep our dependencies up to date. But updating our applications can take a lot of time. How do we stay on top of that, while also continuing to deliver business value?

Luckily, there are plenty of tools that can help us with this, from package managers to bots that can automatically create changes on our repositories. Let’s go over some of the different options, so we can make informed choices about what’s best for us in a particular situation.

Marit van Dijk

June 27, 2024
Tweet

More Decks by Marit van Dijk

See All by Marit van Dijk
Reading Code (JUG Noord)
mlvandijk
0
15
Reading Code (JavaZone)
mlvandijk
0
8
Code Reading Workshop (SoCraTes)
mlvandijk
0
88
Code Reading workshop - Software Cornwall
mlvandijk
0
22
Reading Code (Picnic)
mlvandijk
1
30
Reading Code (KCDC)
mlvandijk
0
18
Keep your dependencies in check (Devoxx PL)
mlvandijk
0
43
Reading Code (JSpring)
mlvandijk
0
140
Code Reading workshop (DDD Europe)
mlvandijk
0
34

Featured

See All Featured
Designing with Data
zakiwarfel
98
5k
Producing Creativity
orderedlist
PRO
340
39k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
28
1.6k
Adopting Sorbet at Scale
ufuk
73
8.9k
What's in a price? How to price your products and services
michaelherold
242
11k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
278
13k
StorybookのUI Testing Handbookを読んだ
zakiyama
26
5.1k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
36
1.7k
Why Our Code Smells
bkeepers
PRO
334
56k
How To Stay Up To Date on Web Technology
chriscoyier
786
250k
The Illustrated Children's Guide to Kubernetes
chrisshort
47
48k
Testing 201, or: Great Expectations
jmmastey
36
7k

Transcript

  1. Keep your dependencies in check KCDC - June 26, 2024

    https://maritvandijk.com/
  2. None
  3. None
  4. None
  5. None

  6. Dec. 2021

  7. None
  8. None
  9. None

  10. March 2022

  11. None
  12. None
  13. None
  14. None

  15. Do we need this dependency? https://maritvandijk.com/selecting-dependencies/

  16. Selecting dependencies

  17. Selecting dependencies

  18. https://xkcd.com/2347/

  19. Selecting dependencies

  20. Selecting dependencies

  21. Selecting dependencies

  22. Selecting dependencies Selecting dependencies

  23. Selecting dependencies

  24. https://www.sonatype.com/resources/log4j-vulnerability-resource-center

  25. Find information

  26. Dependency information https://search.maven.org/

  27. Dependency information https://search.maven.org/artifact/com.fasterxml.jackson.core/jackson-databind/2.17.1/jar

  28. Dependency information https://search.maven.org/artifact/com.fasterxml.jackson.core/jackson-databind/2.17.1/jar

  29. Dependency information

  30. Dependency information

  31. Dependency information https://package-search.jetbrains.com/

  32. Dependency information https://package-search.jetbrains.com/

  33. Dependency information https://package-search.jetbrains.com/

  34. Dependency information https://github.com/

  35. Dependency information https://github.com/

  36. Dependency information https://github.com/

  37. https://maritvandijk.com/presentations/collaborating-on-open-source-software/

  38. No dependencies Maintain dependencies

  39. Maven • Overview of dependencies: `mvn dependency:tree`

  40. Maven • Check for updates: `mvn versions:display-dependency-updates`

  41. Maven • Check for updates: `mvn versions:display-dependency-updates`

  42. Maven • Analyze dependencies: `mvn dependency:analyze`

  43. Gradle • Overview of dependencies: `./gradlew dependencies`

  44. Gradle • Check for updates: • Add plugin, e.g. gradle-versions-plugin

    • Run `./gradlew dependencyUpdates` https://github.com/ben-manes/gradle-versions-plugin

  45. Gradle • Analyze dependencies • Add plugin (e.g. nebula) https://github.com/nebula-plugins/gradle-lint-plugin/wiki/Unused-Dependency-Rule

  46. Gradle • Analyze dependencies • Add plugin (e.g. nebula) •

    Run `./gradlew fixGradleLint` https://github.com/nebula-plugins/gradle-lint-plugin/wiki/Unused-Dependency-Rule

  47. IntelliJ IDEA: View Dependencies

  48. IntelliJ IDEA: View Dependencies

  49. IntelliJ IDEA: View Dependencies

  50. IntelliJ IDEA: View Dependencies https://www.jetbrains.com/help/idea/maven-projects-tool-window.html

  51. IntelliJ IDEA: View Dependencies https://www.jetbrains.com/help/idea/jetgradle-tool-window.html

  52. IntelliJ IDEA: Dependency Analyzer https://www.jetbrains.com/help/idea/work-with-maven-dependencies.html#dependency_analyzer

  53. IntelliJ IDEA: Dependency Analyzer https://www.jetbrains.com/help/idea/work-with-maven-dependencies.html#dependency_analyzer

  54. IntelliJ IDEA: Maven Helper Plugin https://plugins.jetbrains.com/plugin/7179-maven-helper

  55. IntelliJ IDEA: Dependency Analyzer https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

  56. IntelliJ IDEA: Dependency Analyzer https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

  57. IntelliJ IDEA: Dependency Analyzer https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

  58. IntelliJ IDEA: Dependency Analyzer https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

  59. IntelliJ IDEA: Dependency analysis • Look at where dependencies are

    used in your code https://www.jetbrains.com/help/idea/dependencies-analysis.html

  60. IntelliJ IDEA: Dependency analysis • Look at where dependencies are

    used in your code https://www.jetbrains.com/help/idea/dependencies-analysis.html

  61. IntelliJ IDEA • Add dependency

  62. IntelliJ IDEA • Add dependency

  63. IntelliJ IDEA • Add dependency

  64. IntelliJ IDEA: Package Search https://www.jetbrains.com/help/idea/package-search.html

  65. IntelliJ IDEA • Package Search tool window https://www.jetbrains.com/help/idea/package-search.html

  66. IntelliJ IDEA: Update dependencies • Hover https://www.jetbrains.com/help/idea/package-analysis.html

  67. IntelliJ IDEA: Update dependencies • Context Actions (⌥ ⏎ or

    Alt+Enter)

  68. IntelliJ IDEA https://www.jetbrains.com/help/idea/package-analysis.html • Vulnerable Dependencies tab in Problems window

  69. IntelliJ IDEA • Vulnerable API Usage https://www.jetbrains.com/help/idea/package-analysis.html#find-vulnerable-api

  70. IntelliJ IDEA • Vulnerable API Usage https://www.jetbrains.com/help/idea/package-analysis.html#find-vulnerable-api

  71. IntelliJ IDEA • Vulnerable API Usage https://www.jetbrains.com/help/idea/package-analysis.html#find-vulnerable-api

  72. IntelliJ IDEA • Vulnerable API Usage https://www.jetbrains.com/help/idea/package-analysis.html#find-vulnerable-api

  73. IntelliJ IDEA • Vulnerable API Usage • Context Actions (⌥

    ⏎ or Alt+Enter) https://www.jetbrains.com/help/idea/package-analysis.html#find-vulnerable-api

  74. Pros & Cons + Check dependencies while working on the

    project - Check out each individual project - Apply & verify updates

  75. Software Composition Analysis (SCA) • Scan all repos (and containers)

    • Overview

  76. JetBrains Qodana https://www.jetbrains.com/qodana/

  77. JetBrains Qodana https://www.jetbrains.com/qodana/

  78. JetBrains Qodana https://www.jetbrains.com/qodana/

  79. JetBrains Qodana https://www.jetbrains.com/qodana/

  80. JetBrains Qodana https://www.jetbrains.com/qodana/

  81. JetBrains Qodana https://www.jetbrains.com/qodana/

  82. JetBrains Qodana https://www.jetbrains.com/qodana/

  83. SCA: Pros & Cons + No need to check out

    repos individually - I have to check the dashboard - Apply & verify updates

  84. Bots • Dependabot • Renovate • Snyk Open Source

  85. Dependabot • GitHub native • Features: • Alerts • Auto-triage

    rules (preset & custom) • Security updates • Version updates https://docs.github.com/en/code-security/dependabot

  86. Dependabot enable

  87. Dependabot alerts

  88. Dependabot alerts

  89. Dependabot alerts

  90. Dependabot alerts

  91. Dependabot security updates

  92. Dependabot version updates • Add dependabot.yml • Specify: • Package

    manager & location of manifest file • Schedule interval (daily, weekly, or monthly) • Optional: • Max. number of PR's (default 5) • Rebase strategy • Etc https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates

  93. Dependabot: Supported platforms • GitHub native • Can run on

    GitLab too

  94. Renovate • Available via GitHub App • Features: • Security

    updates • Version updates • Replace deprecated dependencies with community suggested dependencies • Project dashboard https://docs.renovatebot.com/

  95. Renovate enable https://github.com/apps/renovate

  96. Renovate enable

  97. Renovate enable

  98. Renovate enable

  99. Renovate enable • Register with Mend (the company behind Renovate)

  100. Renovate onboarding PR

  101. Renovate configuration • All repos or selected repos • Config

    file is created for you • Scheduling • Max. number of PR's / concurrent branches • Rule based auto merge • More options & more fine-grained https://docs.renovatebot.com/configuration-options/

  102. Renovate PR https://docs.renovatebot.com/merge-confidence/

  103. Renovate Dashboard: Project

  104. Renovate Dashboard: Jobs

  105. Renovate: Supported platforms • GitHub (.com and Enterprise Server) •

    GitLab (.com and CE/EE) • Bitbucket Cloud • Bitbucket Server • Azure DevOps • AWS CodeCommit • Gitea and Forgejo • Gerrit (experimental) https://docs.renovatebot.com/#supported-platforms

  106. Snyk Open Source • Available via Snyk • Features: •

    Security updates • Version updates • Dashboards • Test for new vulnerabilities (on PRs) • Test for vulnerabilities in source code https://snyk.io/

  107. Snyk enable https://snyk.io/ • Go to their website • Scroll

    all the way down... • Start free

  108. Snyk enable https://snyk.io/

  109. Snyk enable https://snyk.io/

  110. Snyk enable https://snyk.io/

  111. Snyk enable https://snyk.io/

  112. Snyk enable https://snyk.io/

  113. Snyk enable https://snyk.io/

  114. Snyk PR

  115. Snyk PR

  116. Snyk PR Check

  117. Snyk dashboard

  118. Snyk Open Source Configuration • Frequency (daily, weekly, never) •

    Enable/disable: New and/or known vulnerabilities • Enable/disable PR's for single project https://docs.snyk.io/products/snyk-open-source/open-source-basics

  119. Snyk Open Source: Supported Platforms • GitHub Cloud App •

    GitHub Enterprise • GitHub • GitHub Read-only projects • GitLab • Bitbucket Cloud • Bitbucket Cloud (Legacy) • Bitbucket Cloud App • Bitbucket Data Center/Server • Azure Repositories (TFS) https://docs.snyk.io/integrations/git-repository-scm-integrations

  120. Bots • Dependabot • Renovate • Snyk Open Source

  121. Bots: Pros & Cons + Relatively easy to install +

    Automatic PR's - Can create "noise" - Manage PRs (merge & deploy) - Do NOT update your code (if needed)

  122. Migration tools

  123. IntelliJ IDEA • Refactor > Migrate Packages and Classes https://www.jetbrains.com/help/idea/migrate.html

  124. IntelliJ IDEA • Refactor > Migrate Packages and Classes >

    • Java EE to Jakarta EE • JUnit (4.x -> 5.0) • JavaFX (8 -> 9) https://www.jetbrains.com/help/idea/migrate.html

  125. IntelliJ IDEA • Create New Migration

  126. IntelliJ IDEA • Create New Migration

  127. Error Prone • Static analysis tool for Java to catch

    common programming mistakes at compile-time. • Maven, Gradle, Bazel, Ant • IntelliJ IDEA / Eclipse plugin, Command line • Bug patterns • Report or fix • Custom checks • Includes Refaster: refactor code using before-and-after templates https://errorprone.info/

  128. Error Prone https://errorprone.info/bugpatterns

  129. OpenRewrite • Source code refactoring for framework/API migrations, vulnerability patches,

    and static code analysis fixes • Java, Kotlin & Groovy support • Run using Maven/Gradle plugin • or from a yaml file https://docs.openrewrite.org/

  130. OpenRewrite • Existing recipes • Upgrade versions • Migrate libraries

    • Fix static analysis issues https://docs.openrewrite.org/running-recipes/popular-recipe-guides

  131. OpenRewrite • Existing recipes • Find by topic https://docs.openrewrite.org/reference/recipes

  132. OpenRewrite • Existing recipes • Can author your own recipes

    https://docs.openrewrite.org/

  133. OpenRewrite support in IntelliJ IDEA https://www.jetbrains.com/help/idea/openrewrite.html

  134. OpenRewrite support in IntelliJ IDEA • From Project tool window

    • New (⌘N or Alt+Insert) https://www.jetbrains.com/help/idea/openrewrite.html

  135. OpenRewrite support in IntelliJ IDEA • For example: https://www.jetbrains.com/help/idea/openrewrite.html

  136. OpenRewrite support in IntelliJ IDEA https://www.jetbrains.com/help/idea/openrewrite.html

  137. OpenRewrite support in IntelliJ IDEA

  138. OpenRewrite support in IntelliJ IDEA

  139. OpenRewrite support in IntelliJ IDEA

  140. Conclusion •(Re)evaluate dependencies carefully •Use the tools you have! •Automate

    checks & updates as much as possible •Stay safe!

  141. Slides & More https://maritvandijk.com/presentations/keep-your-dependencies-in-check/