![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
Dear Lazyweb! How do you manage keeping spring boot applications up to date?
We run an arseload of Java webapps. Our devs have taken a strong liking to spring boot, where everything including the Tomcat is uploaded as a JAR. A delight for them, but somewhat of a concern for the sysadmins who are the people first dealing with security issues.
So I've been asked to come up with recommendations to deal with this, and I haven't a clue as to how to do this other than laborious iterative checking, or automated versions thereof. Nor can I find recommendations.
Has anyone else got this problem or one like it? (Where applications are uploaded as a package that then runs.) What do you do?
(no subject)
Date: 2017-06-19 09:18 pm (UTC)fix this issue.
(no subject)
Date: 2017-06-19 09:23 pm (UTC)I fear I may just end up with sufficient documentation that shows "we told you so."
(no subject)
Date: 2017-06-19 09:26 pm (UTC)So, next trick: get buy-in!
(no subject)
Date: 2017-06-19 09:32 pm (UTC)(no subject)
Date: 2017-06-19 09:33 pm (UTC)(no subject)
Date: 2017-06-19 09:28 pm (UTC)one solution is the build pipeline makes new artifacts with all dependencies every $timeperiod then runs tests and deploys.
(no subject)
Date: 2017-06-19 09:31 pm (UTC)(no subject)
Date: 2017-06-19 09:33 pm (UTC)(no subject)
Date: 2017-06-19 09:34 pm (UTC)no wait
(no subject)
Date: 2017-06-21 08:18 pm (UTC)Have you tried breaking fingers? Developers can't produce insecure crap if they can't type.
(no subject)
Date: 2017-06-20 07:52 am (UTC)The current strategy is manual: from the bottom up, one person tracks issues in external components used in the products, and from the top down, issues in high-profile external components get analyzed for their impact on our products. The latter part seems to be working well but only applies to widely used components; the former part is dependent on our ability to match expertise and attention to particular products.
Updates are expensive both us and our customers (they're friendly about it on the phone to engineers but I gather that sales/PM staff get massive earfuls over it) so the human analysis phase isn't going away in favor of 'always update'.
There is a move to de-integrate certain components in certain contexts, so that customer supplies and updates them instead, but that hasn't happened yet and present and future development strategies will pull in more things than will ever be de-integrated.
i.e. the scale of the problem is going to grow rapidly for us and so I'm interested in any practical answers anyone has l-)