软件物料清单如何改变依赖性游戏
Dependency updates are a tedious task when maintaining thousands of microservices. Some teams use tools like dependabot, scala-steward that create pull requests in repositories when new library versions are available. Other teams update dependencies regularly in bulk, supported by build system plugins (e.g. maven-versions-plugin, gradle-versions-plugin). Playing the catch-up game and getting some visibility through incoming pull requests or changes is far from great, though and we can do better here.
在维护成千上万的微服务时,依赖性更新是一项繁琐的工作。有些团队使用dependabot、scala-steward等工具,在有新的库版本时在仓库中创建拉取请求。其他团队在构建系统插件(如maven-versions-plugin、gradle-versions-plugin)的支持下,定期批量更新依赖项。不过,玩追赶游戏,通过传入的拉动请求或变更获得一些可见性,还远远不够,我们可以在这里做得更好。
On the importance of dependency data and hygiene
关于依赖性数据和卫生的重要性
What's needed for dependency management is the ability to get a complete picture of used dependencies over time and analyze trends over time. This granular data allows teams to step up their game.
依赖性管理所需要的是能够得到一个完整的关于所使用的依赖性的情况,并分析一段时间内的趋势。这种细化的数据使团队能够加强他们的游戏。
Critical vulnerabilities in commonly used libraries (e.g. log4j, spring, commons-text) require an ability to find all affected applications in minutes. Only this way can the impact of a vulnerability be assessed and mitigated quickly. Some projects, like openssl, preannounce security updates allowing for more preparation time.
常用库(如log4j、spring、commons-text)中的关键漏洞需要有能力在几分钟内找到所有受影响的应用程序。只有这样才能快速评估和缓解漏洞的影响。一些项目,如openssl,会预先公布安全更新,以便有更多准备时间。
Similarly, upgrades to major versions of libraries, changes in licensing of open-source libraries (for example Akka) create the need to understand the library footprint to assess the need for action or migration costs. Bugs in libraries tend to eventually trigger production incidents and it's necessary to have a way to find all affected teams, track progress of patches across all applications, and identify reasons why teams struggle to keep up.
同样,升级到库的主要版本,开源库(例如Akka)许可的变化,都会产生了解库足迹的需求,以评估行动的需要或迁移成本。库中的错误往往最终会引发生产事故,因此有必要找到所有受影响的团队,跟踪所有应用程序的补丁进度,并确定团队难以跟上的原因。
At Zala...