How to continuously monitor and update your software dependencies?

On December, 9, 2021, Log4Shell, a zero-day vulnerability that allowed remote code executed was made public. Log4Shell affected the popular Log4j Apache library used in thousands of programs all over the world. Many systems exposed to the public were using this vulnerable library. Updating these systems and upgrading their software dependency became a primary importance. All of the sudden, developers had to upgrade a package to avoid being vulnerable to a malicious attack.

This is not the first time software dependencies disrupted operations. In 2015, a developer removed their packages from npm. One of their package was a software dependency for React, the popular frontend framework, which was no longer working then.

Monitoring and managing your software dependencies is a hard problem. In this article, we explain what is a software dependency, how to monitor them and plan to upgrade them before it's too late.

What is a software dependency?

Writing all the code to implement a program would be an enormous task. Instead, software developers organize common blocks of code into reusable libraries. If you need to read a particular file (for example, an image), you can look and reusable an existing library. Such libraries are extensively tested and more reliable than any code you could write in a few hours.

As bugs are fixed, and new features are introduced, such libraries are updated regularly. Each new revision of a library has a new version number. A new version number is automatically incremented as new changes are released. For example, let's say you publish a library to find and save a picture from the internet. Let's call the library find-image. The first version (e.g., find-image:v1) searches for a picture and saves it into a JPEG file. Users provide feedback and want the library to support a new file format. Then, a second version (e.g., find-image:v2) adds the ability to save the file into a new format.

A dependency is the association of your program with a specific library. If I publish a web-browser extension that saves images, I may use find-image:v1 and introduce a dependency on find-image:v1. Later on, when I start to support a new file format, I replace my dependency from find-image:v1 to find-image:v2.

Software developers no longer build programs from scratch. Instead, developers reuse thousands of open-source libraries to build new programs. From the browser you use to read this article to handling communications in your car, all software uses hundreds or thousands of libraries.

To summarize: a software dependency is a specific name and version of a library your program depends on.

Reasons to monitor software dependencies

Sooner or later, you will need to upgrade your dependency, which is the reason why you want to monitor then. There are two major reasons for upgrading software dependencies regularly:

1. The dependency is outdated. You use a very old version of a dependency. This version is no longer compatible with your environment or just not maintained at all.
2. The dependency has security issues. Depending on how serious the issue is, you may need to upgrade as soon as possible to prevent attacks.

Using an outdated dependency can have serious effects on your system. Take the example of Log4Shell (impacting Log4j) or Heartbleed (impacting OpenSSL): hundred of thousands of systems were exposed because of these vulnerabilities. When serious vulnerabilities were discovered in these libraries, any software depending on them had to be updated immediately. Or the software vendor had to accept the risk to let vulnerabilities open.

You do not need only to update your dependencies because a security issue was discovered. Libraries have a lots of bugs that are fixed in new versions. Keeping your dependencies up to date and using the latest versions ensure you are using safe and reliable code.

Ways to manage software dependencies

There is no easy way to manage your dependencies. Over time, IDE started to address this issue. For example, the JetBrains IDEs analyze dependencies, flag outdated dependencies and update them in a single click. However, this solution is very specific to the JetBrains ecosystem and may not work with other systems. And only shows outdated dependencies when you open the file that declares your dependencies.

To this day, many developers still manage dependency manually and only update them when a vulnerability is discovered. This is often too late: updating a dependency that was not updated for months or years requires significant work. Some functions from the old version are now deprecated or no longer working. Integrating a new dependency version may require days of work and even impact your software architecture. For that reason, it's better to be proactive and regularly update your software dependencies.

Continuous software dependency monitoring

Continuously monitoring your dependencies and making sure they are up to date is not a trivial task. Instead of only updating them when there is an emergency, software developers should regularly monitor what dependency to upgrade. Which is why the Codiga code analysis platform provides a holistic view of all your software dependencies.

When Codiga analyzes your source code, it also scans all your dependencies. And produces a comprehensive report that highlights outdated dependencies. Codiga dependency monitoring is available for following languages: JavaScript, TypeScript, Java, Kotlin, Scala, PHP and Ruby.

The dependency monitoring view lists all dependencies used in your project. For each dependency, the platform highlights how many new versions have been released and issues recommendations.

With the Codiga dependency monitoring, you can quickly monitor all your dependencies on a common platform, see which one are outdated and plan an upgrade before being forced to update. This feature should then make it easier for you to monitor and maintain your software.