Security: Fixing Vulnerabilities: Keeping Open Source Dependencies Up To Date
This newsletter edition aims to explore the topic of updating Open Source Library dependencies. Goals are to speed up fixing dependencies with vulnerabilities. And secondary to keep dependencies up to date. By that we can improve productivity, reduce toil and improve security.
Open Source got a lot of traction in the last years and many system heavily rely on Open Source. At the same time the security practice has a lot of potential for improvement. According to the OSSRA report 81% of the analyzed codebases contained at least one vulnerability. Unless teams have good practices for updating Open Source dependencies, vulnerabilities pile up, the component breaks or becomes vulnerable to a high-risk exploit, and then the scramble to update is on (e.g. which is what occurred with Log4Shell).
Fortunately there are some tools for the job available to help the teams in keeping dependencies up to date.
Dependabot
GitHub markets all of its dependency management under the broad term "Dependabot", including:
Dependency Graph: What dependencies and licenses does my project have.
Dependabot Alerts: Which of my dependencies have known vulnerabilities?
Dependabot Updates: Create Pull Requests for updates for dependencies to either the newest version or to provide security updates.
For this blog, we will focus on the last topic "Dependabot Updates". For Open Source projects Dependabot comes for free.
Renovate
Renovate only refers to the single open-source project providing dependency updates. It isn't intended to provide functionality beyond that, like Dependency Graph and Dependency Alerts does. Whitesource Renovate uses the GNU AGPL license.
Functionality-wise, Dependabot Updates and Renovate are very similar and can cover many different technologies like Docker, NPM, Maven, Gradle, PIP and more. Renovate offers more customization, which might be helpful for some teams.
The recommendation is to pick one, which fits best for your project or company. E.g. if you develop a Open Source project, Dependabot and Renovate already comes for free. For internal GitHub instances, you can use GitHub Enterprise Security or Renovate.
Related Practices
For the adoption of the tool having good engineering practices are important:
Review of PRs on Time: Adopting one of the tools should include reviewing and merging the PRs on time. This will reduce the burden on the CD infrastructure and improve security by closing vulnerabilities quickly.
Confidence in Test Automation Suite: Updating dependencies can come with a risk of regressions. So it is highly recommended to execute your automated tests and ensure the confidence in your automated test suite.
Call for Action
The impact of security vulnerabilities gets continuously higher. Therefore, it is important to adopt such tools and help others with the adoption.
Wish you a great start into the week!
Why: More on my motivation to start the newsletter can be found in Collaboration on Improving: Why I'm starting the Engineering Ecosystem.
About me: I am Klaus Haeuptle an engineer and architect at SAP, the author of the books Clean ABAP and Clean SAPUI5, a coach for agile software engineering and a community servant leader for a large SAP internal grass roots community on improving tools, technologies, practices and culture, with more than 3000 participants from all locations and departments. Views are my own - the content published on this channel reflect my opinion and engineering principles.
Subscription: If you want to get updates, you can subscribe to the free newsletter:
Mark as not spam: : When you subscribe to the newsletter please do not forget to check your spam / junk folder. Make sure to "mark as not spam" in your email client and move it to your Inbox. Add the publication's Substack email address to your contact list. All posts will be sent from this address: ecosystem4engineering@substack.com.
✉️ Subscribe to the newsletter — if you aren’t already.
❤️ Share it — The engineering ecosystem newsletter lives thanks to word of mouth. Share the article with someone to whom it might be useful! By forwarding the email or sharing it on social media.