Mastering Dependency Management

Talk Outline

Defining Dependencies: What are they?
Maintenance: Why it matters?
Tools: What tools exist? How to use some?
Takeaways: What to remember?
Q&A: Your questions answered.

Dependencies Defined

Its a piece of software that another piece of software uses to function. Usually provides ready-made solutions, saving development time

Where to find them

Nuget, pipy, npm, maven, gem etc.. packages
Project references
Terraform modules
Operating system packages in Docker base images, Operating system images

Types

Direct: Libraies, frameworks and other projects
Transitive: Dependencies of your direct dependencies

Your Project
|
|-- Direct Dependency: Microsoft.EntityFrameworkCore
     |
     |-- Transitive Dependency: Microsoft.Extensions.Logging
     |-- Transitive Dependency: System.ComponentModel.Annotations

See this

Upgrade - Free goodies :)

Allows you to benefit from updates, bug fixes, and security patches
Neglected dependencies can lead to project failure

Upgrade - Dark side :(

Outdated dependencies can have known security vulnerabilities e.g. Moq

Newer versions can change license and can cost premium e.g.Elastic, Cisco

Modern open-source times require vigilant security practices e.g. If you miss angular upgrade

Your Project
|
|--- Direct Dependency: Moq (v4.20.0 or v4.20.1)
     |
     |--- Transitive Vulnerability: Email exfiltration process

Tools: Ecosystem-Specific, Built-in

These tools are built into each package ecosystem and are designed to work specifically within those ecosystems.

Ecosystem	Identify Vulnerabilities	Upgrade Packages
Node.js (npm)	`npm audit`	`npm install <package_name>@latest`
.NET	`dotnet list package --vulnerable`	`dotnet add package <package_name>`
Python (PyPI)	`safety check` or `pip-audit`	`pip install --upgrade <package_name>`

Tools: Cross-Ecosystem

They work across different ecosystems. Helps in identifying outdated or insecure dependencies and suggest updates.

Dependabot: Checks for outdated or insecure dependencies defined in your project and opens a pull request with updates
Renovatebot: Similar to Dependabot but supports a wider range of platforms including Azure DevOps. It offers more configuration options for greater flexibility

Tools: Advanced Cross-Ecosystem

They provide more advanced capabilities, including complete inventory of all software components in a system, and identifying and managing security vulnerabilities, license risks in your code.

Integrated Application Security Platforms: Tools like Synopsys Blackduck and Checkmarx offer advanced capabilities, identifying outdated or insecure dependencies and suggesting updates. Listing License risks on dependencies of your dependencies.
Software Bill of Materials (SBOM) Tools: Tools like CycloneDX, SPDX, and SWID provide a complete inventory of all software components in a system, helping manage dependencies at a larger scale.

Key Takeaways

Choose the tools that work best for your project.
Consider package ecosystem specific tools, central tools, or a combination.
Tools can only help to certain extent, because you hold the ultimate power. Check before you upgrade.

Have a plan | Beware, Everybody does it

Questions?

You know what to do now.

Questions? 🤔

End or presentation

Why Renovatebot Over Dependabot?

Features	Dependabot	Renovatebot
Support for Azure DevOps	Yes (GitHub Advanced Security as of September 20, 2023)	Yes
Cost for Azure DevOps	$49 per active committer per month	Free
Configuration Options	Limited	More, allowing for greater flexibility
Vulnerable Package Detection	Yes	Yes (backed by `osv.dev`)

Both are excellent tools for dependency management. However, in the context of Azure DevOps, Renovatebot may provide a more seamless and customizable experience.

Renovatebot in Action

Discuss our implementation.
Share challenges faced and how they were overcome.
Show results and improvements.