According to Synopsys’ report, more than 99% of analyzed commercial codebases across 17 industries used open source components and libraries. Over the last few years, open-source technologies have become ubiquitous; they are everywhere.
Unfortunately, while open source components can save cost and effort during your program’s development stages, they can also make your application vulnerable to cybersecurity attacks. It’s also harder for the developer to track changes across various components and libraries for security updates and patches.
Cyber attacks aimed at the application layer tend to be the hardest to detect and receive the most attention from the attackers. Thus, it is prudent to take proactive measures against these attacks than to take reactive measures after the attack.
Various manual and automated tools can help developers through their Software Composition Analysis (SCA). SCA tools generally perform scans and audits through a codebase and give insights on the open-source components. A competent SCA tool not only audits your codebase for open source usage but also informs you about known vulnerabilities present in your application due to specific components.
From the first open-source manual Scanner in 2002 to the auto-remediation of security vulnerabilities in 2020, SCA tools have progressed astonishingly. One of these new-age tools is Renovate by WhiteSource.
WhiteSource Renovate can be easily integrated into your DevOps CI/CD pipeline and automatically detect and fix outdated dependencies. It can be deployed in many ways: you can either deploy it directly on your GitHub repository or integrate it directly to your OpenSource project with The Renovate Command line tool.
The best part of Renovate is that it is constantly checking for updates and making merge requests. It makes it easy for a developer to keep their codebase up to date.
Deploying Renovate as a Github Application
To install the WhiteSource Renovate Github Application, install it from its GitHub market page.
Once you’ve installed it, the application will ask for edit permissions to access repositories. It uses read-and-write permissions to scan your repository for vulnerabilities and make the pull requests for the suggested fix.
After authorizing Renovate, you will be taken to the dashboard, where you can see logs for your repositories.
After the initial setup, Renovate will send the merge request to the repositories for the configuration.
This configuration will add a .json file to help Renovate configure the detected files and settings specific to the repository. After accepting the merge request, a renovate.json file will be added to the repo.
The .json file would look like the following image.
Renovate will select smart defaults for the configuration, which can be easily modified to get the experience you want. Each pull request made by it is highly descriptive and contains information on what will happen after accepting the request.
Renovate will scan through each file and directory to find package files such as go.mod for Go, package.json for npm or yarn, dockerfile, and docker-compose Docker, requirements.txt for Python, and much more.
Renovate also supports monorepo, so it includes all pull requests from a single repo in one to reduce the noise.
To reduce the noise even further, you can also set a custom schedule.
Taking the automation to the next level, Renovate can also auto-merge pull requests based on rules.
Renovate’s pull request looks like this:
Self-Hosting
If you do not want to use Renovate’s marketplace application, you can also set it up in your self-hosting environment. Renovate also supports GitLab, Bitbucket, Azure, and Gitea.
You can install it either via npm or Docker. Renovate also needs yarn and pnpm as dependencies to edit and update the logfiles.
To install, run the following command:
The Docker image for Renovate is also available on Docker Hub, which can be pulled with docker run command:
This command pulls the latest Docker image of which you can run with the command:
You can also specify -v flag as an argument to provide a custom config.js file volume to the docker.
There are three ways self-hosted Renovate can be configured:
- With config.js or config.json file
- With CLI parameters
- With Environment variables.
This is the code for the configuration using a config file:
Here, the endpoint is provided by the self-hosted GitHub API.
The config file also contains which repositories need to be monitored.
One of the most common ways to run self-hosted monitoring is with a cron in bash. You can create a script to Renovate and specify when you want the job to be executed:
If you are using Github Enterprise, Gitlab, Azure DevOps, or Bitbucket, you need to provide the Github.com token for Renovate to fetch the release notes hosted on GitHub.
Renovate will store files created within the subdirectory of the operating system temporary directory as renovate/. You can also override this setting to use custom directories to store the data with a CLI flag of –base-dir=, or you can use the RENOVATE_BASE_DIR variable if you are using config.js.
Logging
To parse the log into another system, you can also indicate the Renovate with LOG_LEVEL=debug and the format such as LOG_FORMAT=json.
Conclusion
With the widespread applications of open-source software, they are constantly being developed to introduce new features and fixes. For every component used in a product, these updates come out often enough to chew through the developer’s precious time. So, products like WhiteSource Renovate are essential for any enterprise developing software products on a large scale.