Creating SBOMs with the Snyk CLI

The Snyk CLI is a great tool used to scan a project and report vulnerabilities discovered in it. The Snyk CLI supports a wide variety of languages and build systems, making it ideal as a generic, go-to solution for vulnerability reporting. However, it only outputs vulnerabilities discovered – it does not generate an SBOM, which … Continue reading Creating SBOMs with the Snyk CLI

Improving the Reproducibility of Spring Boot’s Docker Image Builder

Reproducible builds are big wins for security, maintainability, and sanity. If you don’t like it when nothing has changed, yet your build suddenly breaks or doesn’t produce the same output, then improving reproducibility is for you. By default, Spring Boot’s Docker/OCI image building solutions, bootBuildImage (in Gradle) and spring-boot:build-image (in Maven), do not operate reproducibly. … Continue reading Improving the Reproducibility of Spring Boot’s Docker Image Builder

Identifying, Reporting, and Fixing CVE-2021-22119: DoS Vulnerability in Spring Security OAuth 2.0

In March 2021, I observed troubling behavior in multiple applications I supported that are built using Spring Boot: they would occasionally stop responding. Eventually, I tracked down the root cause to a DoS (Denial of Service) vulnerability in Spring Security OAuth 2.0: a simple shell script could take down any affected web application. Respecting the … Continue reading Identifying, Reporting, and Fixing CVE-2021-22119: DoS Vulnerability in Spring Security OAuth 2.0

Cypress Testing Integrated with Gradle and Spring Boot

Cypress is a great testing framework for “anything that runs in a browser” allowing for clean, maintainable end to end tests. However, these tests can difficult and annoying to for developers to run, especially those who aren’t front end specialists. The following covers getting existing Cypress tests integrated and easily running within the Gradle-based build … Continue reading Cypress Testing Integrated with Gradle and Spring Boot

Contributing Improved Security to JavaMelody with Content Security Policy

JavaMelody is a web based monitoring tool frequently run in production environments, providing insights including CPU usage, hot spots in code, database connection pool utilization, and more. I’m always on the lookout for ways to improve security, so when a security scan pointed out that the JavaMelody web interface didn’t have a Content Security Policy … Continue reading Contributing Improved Security to JavaMelody with Content Security Policy

Lighthouse Performance Testing

Lighthouse is a great way to establish a build-measure-learn feedback loop resulting in continuous value creation by testing ideas in the areas of SEO, performance, accessibility, and more. In this article, I’ll cover what Lighthouse is and how to add it a project with examples covering pure Javascript (node) projects and Gradle projects (with any … Continue reading Lighthouse Performance Testing

The How and Why Automating Dependency Updates

Organizations already automate running builds, executing tests, and performing deployments to free developers from tedium and improve reliability. The next step is to use automation to improve projects. Tools (bots) can submit pull requests that fix typos, optimize images, and more. I’ve had a great positive experience using a bot to perform the tedious task … Continue reading The How and Why Automating Dependency Updates

Testing a Java application on Windows without Windows

Java is supposed to be “write once, run anywhere” but in practice, there are always platform differences that can and do result in bugs. For that reason, and because in general it’s a good idea to test as much as possible, it’s nice to run tests (even for Java applications) on multiple platforms. As evidence … Continue reading Testing a Java application on Windows without Windows