openrewrite / rewrite-docs

Stores the markdown documents used to generate docs.openrewrite.org
https://docs.openrewrite.org
Apache License 2.0
41 stars 50 forks source link

Write a popular recipe guide for resolving vulnerable dependencies #288

Open timtebeek opened 4 months ago

timtebeek commented 4 months ago

What problem are you trying to solve?

Folks might not be aware that we are able to confidently solve vulnerabilities using OpenRewrite recipes, and also bump transitive dependencies.

Describe the solution you'd like

Guide folks towards the Find and fix vulnerable dependencies recipe, and educate them on

  1. how to set overrideTransitive: true to get Maven dependencyManagement or Gradle constraints added a. and explain how 80% of vulnerabilities are in transitive dependencies, otherwise missed by other tools
  2. explain how the recipe will only confidently bump patch versions, to the vulnerability recommended version
  3. explain the data table produced when passing in -Drewrite.exportDatatables=true, and the minor/major/no fix insights that gives
  4. guide them towards next steps such as a. directly using UpgradeDependencyVersion and UpgradeTransitiveDependencyVersion for minor version bumps, b. or the framework migration recipes for Spring, Micronaut and Quarkus for major version bumps.

Additional context

Came up in our OSS Slack.

timtebeek commented 4 months ago

cc @mike-solomon (but enjoy your holiday first!)

mike-solomon commented 3 months ago

This has proven to be slightly problematic to document due to the fact that I can't get Gradle projects to generate data tables. Not entirely sure what I'm doing wrong as it seems like others may not have that issue 🤷

I'll come back to this in the future and see if I can figure it out. Jumping over to other doc issues for now, though.