Archive: October 2017

Keep vulnerable libraries out!

Posted on by  
Nanne Baars

Modern applications development is a mix of custom code and many pieces of open source. The developer is normally very knowledgeable about their custom code but less familiar with the potential risk of the libraries/components they use. A study from Black Duck which covers more than 200 applications shows that 95% of the projects use open source libraries (see open source security analysis). Important side note is we only use a fraction of all the libraries imported into a project. Last couple of months some critical issues were found in Struts 2 which enabled attackers to perform a remote-code-execution through a malicious content-type. One way to track whether you are using vulnerable components is to use the OWASP Dependency-Check. This tool uses the National Vulnerability Database to search components for well known published vulnerabilities.

Let’s take a look at the well known Spring Pet Clinic project and integrate OWASP Dependency-Check, first we add the following plugin to the Maven pom.xml:

The plugin supports all kind of configuration items, in this example our build will fail if the Common Vulnerability Scoring System (CVSS) score if above 8.

CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. Scores are calculated based on a formula that depends on several metrics that approximate ease of exploit and the impact of exploit. Scores range from 0 to 10, with 10 being the most severe. While many utilize only the CVSS Base score for determining severity, temporal and environmental scores also exist, to factor in availability of mitigations and how widespread vulnerable systems are within an organization, respectively.

If we run Dependency-Check the build will fail due to:

If we look at the report we will see the mysql connector has more than 400 CVEs and the build fails due to the CVSS score above 8 (in this case there is even a CVE with CVSS score 10). Based on this score this library should be replaced with a more up-to-date version. Because Dependency-Check offers many ways to integrate into your build pipeline it is easy to get it up-and-running. It is also possible to integrate with Sonar which makes it even more visible to your team.

Continue reading →

Run one or Exclude one test with Gradle

Posted on by  
Mathijs de Groot

From time to time you only want to run one test, one test method, one class or one package from the command-line. Or on the contrary: you want to exclude / ignore one specific test or group of tests during the build cycle. Excluding tests from the build cycle by the command line usually occurs when the following scenarios meet:

  • A test requires significant amount of resources (time, memory, disk space, etc.)

  • The run needs to be independent from the IDE (to reenact the Continuous Integration / Continuous Delivery pipeline) as some IDEs load test-dependencies on the compile-time class-path.

  • You have no or limited ability to change the code-base

Continue reading →

Fronteers conf '17

Posted on by  
Martijn van der Wijst

This year marks the 10th anniversary of the Fronteers conference , held at Pathé Tuschinski in Amsterdam. A single track conference covering various topics of frontend development. The JDriven delegation this year consists of Patrick Ooteman, Auke Speksnijder and Martijn van der Wijst. Topics are: VR, Animations, Developer tools, Caching, a11y, and WebAssembly. The talks didn’t just cover javascript, CSS and HTML. Also relating subjects like writing better language, tackling imposter syndrome and Japanese culture came by. There even was a separate talk focused on emojis :) We’ll try to summarize the nicest takeaways from the past couple of days.

To start off, Niels Leenheer gives a talk about the importance of when to use and also when not to use progressive enhancement. You can imagine that a video tag can be replaced by an image for devices that don’t support the native video tag. But Youtube without videos, yeah, that won’t work at all. After the audience loudly applaudes to an image of ‘goodbye Internet Explorer’, he emphasises that browser wars are a good thing. When every browser would run on Webkit (or nowadays even Chromium), the need to make browsers better would decrease. Also he said:

IE6 was a good browser
— Niels Leenheer

Daring statement! But then when you think about it, at the time it could do awesome things. IE6 became a pain in the ass for developers only later, when modern browsers came around and people were still using IE6. Key takeaway of the talk: think about users, not about browsers.

Continue reading →

Run one or Exclude one test with Maven

Posted on by  
Mathijs de Groot

From time to time you only want to run one test, one test method, one class or one package from the command-line. Or on the contrary: you want to exclude / ignore one specific test or group of tests during the build cycle. Excluding tests from the build cycle by the command line usually occurs when the following scenarios meet:

  • A test requires significant amount of resources (time, memory, disk space, etc.)

  • The run needs to be independent from the IDE (reenact the Continuous Integration / Continuous Delivery pipeline) as some IDEs load test-dependencies on the compile-time class-path.

  • You have no or limited ability to change the code-base

Continue reading →

Awesome Asciidoctor: Grouping Floating Images

Posted on by  
Hubert Klein Ikkink

With Asciidoctor markup we can position images in our document. We can even float images, so text can next to an image, inside only below or about the image. We can also define multiple images to float, so the images are displayed on the same line next to each other. Any text that follows these images is also displayed next to the images. If we want only to have floating images, but the text starting under the images we can place the images inside an open block and assign the block the role float-group.

In the next example we first define three images that all have roles to float left. In the second part we group these images using the role float-group, so the text will not be displayed next to the images, but under the images:

Continue reading →

Awesome Asciidoctor: Using Tab Separated Data In A Table

Posted on by  
Hubert Klein Ikkink

In a previous post we learned how to use data in CSV and DSV format. Recently we can also include tab separated values (TSV) in a Asciidoctor table. We must set the table attribute format to the value tsv. The data can be inside the document, but also defined in an external file which we add with the include macro.

In the following example markup we have a table with inline tab separated values. A second table includes an external file with tab delimited values:

Continue reading →

Implementing architectural fitness functions using Gradle, JUnit and code-assert

Posted on by  
Rob Brinkman

Inspired by Neal Ford’s presentation at our Change is the Only constant event I started experimenting with architectural fitness functions. An architectural fitness function provides an objective integrity assessment of some architectural characteristic(s). If you want to take a deeper dive into evolutionary architectures including fitness functions take look at Neals book: Building Evolutionary Architectures: Support Constant Change. Neal’s slides contained an example of verifying package dependencies from a Unit Test using JDepend.

In this blog post we’ll elaborate on that approach and create a Unit Test that verifies that our code complies to the chosen packaging strategies using an alternative to JDepend named code-assert. We’ll verify two types of packaging strategies; package by layer and package by feature. For a definition of these strategies please have a look at this blog from Simon Brown.

Continue reading →

6 Steps to help you debug your application

Posted on by  
Ties van de Ven

As a developer sooner or later you will encounter bugs, be it small ones or production breaking bugs. Now it is your task to find and fix the bug as soon as possible. In this article I will list the techniques I learned over the course of many years debugging web applications in the hope that it will help you be better and more efficient in bug hunting.

The process start with the actual bug report in a bug tracker. When reading the report, be careful for incomplete information or assumptions made by the reporter. It is easy to forget crucial steps in writing down the bug, so if possible, try to reproduce the bug with the reporter. Sometimes the bug report might contain possible causes to the bug. This happens more often if the reporter has a technical background. Be careful about trusting these assumptions made in the bug report since they are not always based on actual knowledge of the system, and it might create tunnel vision in finding the root cause.

Continue reading →

JavaOne verslag: De Keynote

Posted on by  
Erik Pronk

Op de eerste volledige conferentie dag van JavaOne stond natuurlijk meteen de keynote gepland. Het eerste gedeelte van de keynote werd verzorgd door de hoofdsponsor Intel en was best vermakelijk al lag de salespitch er wel dik bovenop. Intel lanceerde 2 opensource producten voor de Java community:

Continue reading →

Awesome Asciidoctor: Using Paragraphs in Lists With List Item Continuation

Posted on by  
Hubert Klein Ikkink

When we write a list in Asciidoctor we can simply create a list item by starting the line with a dot (.). To create a another list item we simply start a new line with a dot (.). But what if we want to add a list item with multiple paragraphs, or text and a source code block element. We can use the list item continuation (+) to indicate to Asciidoctor we want to keep these together for a single list item.

In the following example we have a list in Asciidoctor markup. The second list item has multiple paragraphs , the third item has an extra admonition block and the fourth item contains a source code block:

Continue reading →

Spocklight: Reuse Variables In Data Providers

Posted on by  
Hubert Klein Ikkink

Writing a parameterized specification in Spock is easy. We need to add the where: block and use data providers to specify different values. For each set of values from the data providers our specifications is run, so we can test for example very effectively multiple input arguments for a method and the expected outcome. A data provider can be anything that implements the Iterable interface. Spock also adds support for a data table. In the data table we define columns for each variable and in the rows values for each variable. Since Spock 1.1 we can reuse the value of the variables inside the data provider or data table. The value of the variable can only be reused in variables that are defined after the variable we want to reuse is defined.

In the following example we have two feature methods, one uses a data provider and one a data table. The variable sentence is defined after the variable search, so we can use the search variable value in the definition of the sentence variable.

Continue reading →

shadow-left