Keeping project dependencies up to date helps ensure application security and reliability. Using Components with Known Vulnerabilities is the ninth of the OWASP Top 10 Application Security Risks, whose impact statement mentions "some of the largest breaches to date have relied on exploiting known vulnerabilities in components". According to Contrast Security, "applications commonly use 30 or more libraries, which can comprise up to 80% of the code in an application". A 2017 study by North Carolina State University found that "projects with automated pull requests made 60 percent more of the necessary upgrades than projects that didn't use incentives". Renovate Bot, a solution that enables this type of automation, was purchase by WhiteSource this week, who open sourced the tool for free 🍺. Yesterday I gave it a try and found it very easy to add to projects in Azure DevOps.

With Renovate Bot you create a periodically scheduled build pipeline which analyzes the dependencies in your project. When an update for a dependency is detected, the service automatically creates a pull request to update the relevant packages, and provides some analysis on the change.

Configuration Steps

The first step was to add the Renovate Bot extension to my Azure DevOps account. Then, I picked an existing project and created a new build pipeline that runs on an Azure DevOps hosted Linux Container, installs Node, and uses the Renovate build task. The only tricky part was I had to overwrite using the "latest" version of Renovate to version 19.61.5, as the latest version wouldn't work.

build task

Then, in the build options, set the scope to "Current Project"

build properties

And enable the Agent Job setting to allow the build script to access the OAuth Token.

agent job

In the project settings, Allow the project's build service to create pull requests and branches.

Note: this build service account wasn't present in my settings until I triggered the first Renovate Bot build.

Schedule the build to run on a cron job to your liking, for example, every Sunday at 3pm. Uncheck the box, Only schedule builds if the source or pipeline has changed.

triggers

Manually run the pipeline, which will automatically create Renovate's first pull request on your project. The service is compatible with a wide range of dependency types, which can be found in the documentation. One caveat for those interested in setting this up with .NET projects:

The nuget configuration object is used to control settings for the NuGet package manager. The NuGet package manager supports SDK-style .csproj format, as described here. This means that .NET Core projects are all supported but any .NET Framework projects need to be updated to the new .csproj format in order to be detected and supported by Renovate.

This pull request will add a renovate.json file to your project, provide you some information about the service, and details on the dependencies it has detected in the project.

configure

After you accept this initial pull request, your Renovate Bot will start providing pull requests for outdated dependencies in your project. 👏

pull request

If you prefer to use YAML pipelines, here's what the pipeline definition for the sample described above would look like.

schedules:
  - cron: "0 0 * * Sun"
    displayName: Weekly on Sunday
    branches:
      include:
        - master
    always: true

pool:
  vmImage: "ubuntu-latest"

steps:
  - checkout: self
    clean: true
    persistCredentials: true
  - task: NodeTool@0
    displayName: "Use Node >8.8.0"
    inputs:
      versionSpec: ">8.8.0"
      checkLatest: true
  - task: RenovateMe@0
    displayName: Renovate
    inputs:
      renovateOptionsVersion: 19.61.5

Conclusion

Overall, the setup was fairly easy and I was satisfied with the results. Using the YAML pipeline definition makes this very easy to share across projects. Special thanks for Jean-Yves COUET for creating the open source extensions for Azure DevOps.