Dependency Update tools

Definition

Ort: The OSS Review Toolkit (ORT) aims to assist with the tasks that commonly need to be performed in the context of license compliance checks, especially for (but not limited to) Free and Open Source Software dependencies.

Renovate: Universal dependency update tool that fits into your workflows.

Dependabot: The core logic behind Dependabot's update PR creation, and the public issue tracker for all things Dependabot (by dependabot)

Snyk.io: Snyk is a cloud-based application security and testing platform, It finds and automatically fix vulnerabilities in the code, open source dependencies, containers, and infrastructure as code.

Core language:

Ort: Kotlin

Renovate: TypeScript

Dependabot: Ruby

Snyk.io:TypeScript

Languages supported

Ort: C/C++, Dart/Flutter, Go, Haskell, Java, JavaScript/Node.js, .NET, Objective-C/Swift, PHP, Python, Ruby, Rust, Scala.

Renovate: docker, dotnet, elixir, golang, java, js, node, php, python, ruby, rust, helm, terraform, terragrunt, gitlab-cli, html, swift, sbt, scala, pub, bazel, azure-pipelines, argocd, ansible, kustomize, git, regex, cdnurl etc..,

Dependabot core: Ruby, JavaScript, Python, PHP, Elixir, Elm, Go, Rust, Java and . NET.

Snyk.io: Java, JavaScript, .NET, Python, Golang, Swift, Objective-C, C#, Ruby, Scala, PHP and Elixir.

Is this Open Source tool?

Ort: Yes

Renovate: Yes

Dependabot: Yes

Snyk.io: Yes for a developer or small team of developers with limited tests.

Main Features

Ort:

· License scanning

· Best practices / company standards scanning

· Policy violations rule engine

· Software Bill of Materials / Notices

· Source code scanning

· Dev Ops integration

· Security scanning --> Not implemented yet in gitlab

Renovate:

· Real-Time Dependency Updates

· Vulnerability Alerts

· Best in Class Vulnerability DataBase

· Scan Public and Private Repositories· Configurable for specific Git repository

· Disable updates for specific dependencies or programming languages

· Configure PR assignees

· Limiting amount of PRs

· Avoid spam via scheduling and grouping

· Avoid spam via automatic merging

· Configure branches considered by the bot

· Fix default branch rebasing behavior

· Handle pulled dependency updates

· Improve overview of open PRs

· Renovate Config Validator

· Alerts and notifications

Dependabot:

· Simple, drip-feed getting started flow

· Great pull requests that stay up-to-date

· Powerful configuration options

· Security advisories handled automatically

· Compatibility scores for each update

· Live, daily, weekly or monthly updates

Snyk.io:

· Detect vulnerable dependencies

· Scan pull requests before merging.

· Prevent new vulnerabilities from passing through the build process by adding an automated Snyk test to CI/CD.

· Test running environment to verify there is no exposure to existing vulnerabilities

· Alerts and notifications

· License policies

· Automate open source security management and governance, at scale

Limitations with Gitlab

Ort:

· Security scanning not implemented yet

Renovate:

· It needs permission for each projects to perform dependency fixed. (It can be fixed with access tokens)

· It was not scanning CVE databases to suggest updates.(It will be fixed in upcoming release)

Dependabot:

· basic dependency updates

· limited ability of MR automerge

· Compatible with Github and limited support to Gitlab

· automatic closure of superseeded merge requests

· merge request commands · webhooks

· UI with managed project list

Snyk.io:

· Big team/organization with unlimted tests costs $215 to $4144 or more.

· The main focus of Snyk is security and vulnerability fixes.

Support options for Open source​

Ort: GitHub community page

Renovate: Github community page, Chatbot, Git Knowledge Base, Email support.

Dependabot: Github community page.

Snyk.io: 24/7 (Live rep), Chat, Knowledge Base.