Automating Dependency Management in a Spring Boot Microservice - ganmath/learners GitHub Wiki

Example: Automating Dependency Management in a Spring Boot Microservice Let's assume you have a Spring Boot microservice that relies on:

• spring-boot-starter-web
• spring-boot-starter-data-jpa
• lombok
• mysql-connector-java

If dependency versions are not managed properly, it can lead to:

• Version Conflicts (e.g., spring-boot-starter-web requires Jackson 2.14.0, but another library requires Jackson 2.11.0)
• Security Vulnerabilities (e.g., older versions of mysql-connector-java may have security issues)
• Production Failures (e.g., incompatible dependencies between microservices)

Here’s an example pom.xml with potential issues:

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
        <version>2.6.3</version>
    </dependency>
    
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-data-jpa</artifactId>
        <version>2.5.0</version>
    </dependency>

    <dependency>
        <groupId>mysql</groupId>
        <artifactId>mysql-connector-java</artifactId>
        <version>8.0.19</version>
    </dependency>

    <dependency>
        <groupId>org.projectlombok</groupId>
        <artifactId>lombok</artifactId>
        <version>1.18.20</version>
        <scope>provided</scope>
    </dependency>
</dependencies>

Problems:

1. Spring Boot version mismatch (2.6.3 vs. 2.5.0) → Can cause issues due to incompatible dependencies.
2. Outdated MySQL Connector (8.0.19) → The latest version is 8.1.0, and the old version has security vulnerabilities.
3. Potential Jackson Version Conflict (spring-boot-starter-web uses Jackson 2.14.0, but another dependency may use Jackson 2.11.0).

Run the Maven Versions Plugin:

mvn versions:display-dependency-updates

🔹 Example Output:

[INFO] The following dependencies have newer versions:
[INFO]  org.springframework.boot:spring-boot-starter-web [2.6.3 -> 2.7.2]
[INFO]  org.springframework.boot:spring-boot-starter-data-jpa [2.5.0 -> 2.7.2]
[INFO]  mysql-connector-java [8.0.19 -> 8.1.0]

Use the Maven Versions Plugin to automatically update dependencies:

mvn versions:use-latest-releases

🔹 Updated pom.xml (Automatically Modified):

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
        <version>2.7.2</version>
    </dependency>

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-data-jpa</artifactId>
        <version>2.7.2</version>
    </dependency>

    <dependency>
        <groupId>mysql</groupId>
        <artifactId>mysql-connector-java</artifactId>
        <version>8.1.0</version>
    </dependency>
</dependencies>

✅ All dependencies are now updated to the latest compatible versions.

Use OWASP Dependency-Check to find security vulnerabilities:

mvn org.owasp:dependency-check-maven:check

🔹 Example Output (Detects vulnerabilities in old MySQL Connector):

[ERROR] Known vulnerability detected: CVE-2022-21365 in mysql-connector-java 8.0.19
[INFO] Upgrade to mysql-connector-java 8.1.0

✅ Upgrading the dependency removed the security vulnerability.

If multiple versions of a library are detected (e.g., jackson-databind), run:

mvn dependency:tree

🔹 Example Conflict Output:

[INFO] +- org.springframework.boot:spring-boot-starter-web:2.7.2
[INFO] |  \- com.fasterxml.jackson.core:jackson-databind:2.14.0
[INFO] +- org.springframework.boot:spring-boot-starter-data-jpa:2.7.2
[INFO] |  \- com.fasterxml.jackson.core:jackson-databind:2.11.0 (conflict!)

🔹 Solution: Force Maven to use Jackson 2.14.0 in dependencyManagement:

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>com.fasterxml.jackson.core</groupId>
            <artifactId>jackson-databind</artifactId>
            <version>2.14.0</version>
        </dependency>
    </dependencies>
</dependencyManagement>

✅ Resolved dependency conflict!

Create .github/workflows/dependency-check.yml:

name: Dependency Management CI

on:
  schedule:
    - cron: "0 3 * * 1" # Runs every Monday at 3 AM UTC

jobs:
  check-dependencies:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v3

      - name: Set up Java
        uses: actions/setup-java@v3
        with:
          distribution: 'temurin'
          java-version: '17'

      - name: Check for Dependency Updates
        run: mvn versions:display-dependency-updates

      - name: Update Dependencies
        run: mvn versions:use-latest-releases

      - name: Run Security Scan
        run: mvn org.owasp:dependency-check-maven:check

✅ Automatically checks, updates, and secures dependencies every Monday.

To speed up dependency installation, cache dependencies in GitHub Actions:

      - name: Cache Maven Dependencies
        uses: actions/cache@v3
        with:
          path: ~/.m2/repository
          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}

✅ Speeds up builds by using cached dependencies instead of downloading them again.

✅ No More Dependency Conflicts – Automated resolution using dependencyManagement.
✅ Security Vulnerabilities Fixed – Weekly scans with OWASP Dependency-Check.
✅ CI/CD Pipeline Integrated – Runs on GitHub Actions every Monday.
✅ Optimized Build Speed – Dependency caching reduces build times.
✅ Reproducible Builds – Locking versions ensures all environments use the same versions.

By automating dependency management in a Spring Boot microservice, we:

• Eliminate manual updates
• Fix security vulnerabilities early
• Ensure stable production deployments
• Reduce dependency resolution time in CI/CD pipelines