Thursday, October 31, 2019

#CodeConfident: Journey - Part 4

My Journey application went through a couple of further changes. Here's my coding journal for them.

September 26

  • received security vulnerability report from GitHub, upgraded generator-jhipster
    1 generator-jhipster vulnerability found in package.json 3 days ago
    Remediation
    Upgrade generator-jhipster to version 6.3.1 or later. For example:

    "dependencies": {
      "generator-jhipster": ">=6.3.1"
    }
    or…
    "devDependencies": {
      "generator-jhipster": ">=6.3.1"
    }
    Always verify the validity and compatibility of suggestions with your codebase.

    Details
    GHSA-mc84-xr9p-938r More information
    high severity
    Vulnerable versions: < 6.3.1
    Patched version: 6.3.1
    Generated code uses repository configuration that downloads over HTTP instead of HTTPS
    Impact
    Gradle users were using the http://repo.spring.io/plugins-release repositories in plain HTTP, and not HTTPS, so a man-in-the-middle attack was possible at build time.

    Patches
    Maven users should at least upgrade to 6.3.0 while Gradle users should update to 6.3.1.
    If you are not able to upgrade make sure not to use a Maven repository via http in your build file.

    Workarounds
    Replace all custom repository definitions in build.gradle or pom.xml with their https version.

    e.g.

     <repository>
                <id>oss.sonatype.org-snapshot</id>
                <url>https://oss.sonatype.org/content/repositories/snapshots</url> // <-- must be httpS
                <releases>
                    <enabled>false</enabled>
                </releases>
                <snapshots>
                    <enabled>true</enabled>
                </snapshots>
    </repository>
    maven { url "https://repo.spring.io/plugins-release" } // <-- must be httpS
    References
    https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/
    For more information
    If you have any questions or comments about this advisory:

    Open an issue in https://github.com/jhipster/generator-jhipster/issues

October 13

  • activated issue tracking for my GitHub repo, added all open todos I am aware of
  • added the projects option, created a project and added open todos to it to provide a better overview and track progress
  • added contributing.md as guideline how to contribute to the project
  • changed default sorting for journal entries and challenges

October 15

  • Github reported a security alert; upgraded swagger-ui
    1 swagger-ui vulnerability found in package.json 2 hours ago
    Remediation
    Upgrade swagger-ui to version 3.23.11 or later. For example:

    "dependencies": {
      "swagger-ui": ">=3.23.11"
    }
    or…
    "devDependencies": {
      "swagger-ui": ">=3.23.11"
    }
    Always verify the validity and compatibility of suggestions with your codebase.

    Details
    CVE-2019-17495 More information
    high severity
    Vulnerable versions: < 3.23.11
    Patched version: 3.23.11
    A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.

October 27

  • pairing session with Michael Kutz
  • our goal was still to introduce Lombok to Journey; as preparation for our pairing session, I recreated the situation where we ended last time, using the @Data annotation from Lombok which caused the equalsVerifier test to fail
  • when debugging the failing test again, Michael noticed that Logback threw an exception:
    WARN in net.logstash.logback.appender.LogstashTcpSocketAppender[LOGSTASH] - Log destination localhost/127.0.0.1:5000: connection failed. java.net.ConnectException: Connection refused: connect
    http://logback.qos.ch/codes.html#earlier_fa_collision
    This does not cause a problem for the test as we still have log output in the console, yet is something to investigate for later. Maybe deactivate the file appender in case of running tests.
  • we tracked down the difference between the previous "equals" implementation and the one Lombok provides: Lombok does not consider the need for the object instances to have the same id, in the implementation generated by JHipster, however, they need to have an id defined and that to be the same
  • this triggered thoughts that it might not be wise at all to use @Data annotation for entities; Michael remembered a discussion with a colleague and a related blog post and will investigate further --> here it is! https://developer.jboss.org/wiki/EqualsAndHashCode
  • as side note: Michael shared that any additional dependency introduced for microservices is a risk in itself as dependencies result in frequent maintenance costs on updates
  • we researched whether we could use the @EqualsAndHashCode annotation configured to include or exclude certain fields
    https://projectlombok.org/features/EqualsAndHashCode
  • Michael questioned the design of the generated code of JHipster regarding entities that are also used as business objects; we have DTOs here as well, which can be considered as objects that construct a JSON object from the entity
  • in the end we decided not to risk using @Data as using Lombok here might lead to unwanted side effects like not persisting entities in the database or creating duplicate ones; these kind of problems tend to surface only much later and are hard to figure out; in the end it was good to have a test for it!
  • instead we decided to use the following specific annotations which still replace a lot of boilerplate code: @Getter, @Setter, @ToString
  • for equals and hashCode we kept the original implementation; equals here will only return true in case the instances have the same id persisted in the database
  • the hashCode implementation which sets it to the magic number of 31 is completely obscure to us; the hashCode is used e.g. in a HashSet to check if an object of this type is already present
  • before committing, we reviewed our change set
  • we discussed where to put the Lombok dependency in the Gradle file; the current list of dependencies is provided by JHipster, using a BOM = Bill of Materials; therefore no specific versions are provided for the dependencies, JHipster will take care of getting the latest versions they have available; this is similarly solved in SpringBoot; we decided to add our new dependency at the very end, considering we would find it again quicker and not miss it when skimming over the JHipster dependencies
  • we discussed our previous sample test for the toString method without and with Lombok; this was rather meant as test to showcase how Lombok works, and build trust in this library; as soon as we trust it, such a test is not useful anymore, so it's not meant to be maintained but rather to help our exploration, so we threw it away; the Lombok toString might be implemented differently now, yet this method in general is only meant to provide a human readable representation of the object, while hashCode is meant as interpretable for a machine
  • when committing, we discussed proper commit messages; Michael recommended the following post: https://chris.beams.io/posts/git-commit/ He has trained himself to make use of these recommendations and learned their benefits; we used the same approach here:
    • a) write commit messages as short as possible --> write them in present tense (which is always shorter than past tense), and as imperatives for git
    • b) if you want to provide more information, add an empty line after this "subject" and then write your comments in the third line
    • c) don't write more than 50 characters for the subject or more than 72 characters per line for the rest of the commit message
    • d) start the subject with a capital letter
    • --> IntelliJ settings offer automatic warnings in case such patterns are ignored
  • it's great to reflect on commit messages together with a pair as this helps you become aware of potential ambiguous commits; if a pair cannot formulate a great commit message together, then it might be too big, too early or not ready yet at all; great heuristic!
  • trying to commit, we stumbled across different shortcut settings: per IDE, per operating system, overridden by another program, or using custom ones; for pairing it's great to know the default ones provided by an IDE as well as most people use them
  • Retrospective:
    • I learned a lot again, it's a pleasure to pair with Michael, he takes time and stays patient to explain things well
    • Michael shared it's fun to pair with me, and explaining helps him see where his gaps are, what are only his opinions or more common viewpoints
  • Our pairing session was over, and yet we continued talking for over an hour :) We ended up with a great conversation on the following topics and more:
    • how to structure big test suites, e.g. in teams aiming to cover nearly every bit of code with automated tests
    • what are integration tests, what are service tests, what should they call and what not
    • potential future blog posts, talks, video courses, books
    • Test Automation University
    • public viewing of talks and pairing sessions at work and their discussion afterwards to learn more
    • Agile Testing Days 2019 which starts in a week and where we will meet in person
    • a conference I wasn't aware of yet: SAEC Days
    • paired talks and their specifics; paired workshops and why we should always pair for them
    • exploratory testing and introducing it to developers; how close it is to security testing
    • coaching and career development
    • pairing in general: If Michael sees one person working alone and they are not deleting their emails, then he considers this as waste. They might not know what they do; they need to share their knowledge anyway with the team; if they don't share it's a knowledge silo; feedback like had regarding proper commit messages will be lost as it's mostly not provided at a later point in time; feedback should be timely and constructive anyway and this is a lot easier when pairing. With me, pairing is easy as learning is always my second goal, yet that's not the case with all people. Having people do things alone is always dangerous.
    • code confident: Michael would instantly have me pair in his team and people wouldn't know I'm not a developer. The only difference would be that coding is rather on my breadth than my depth when it comes to my t-shaped skills, which is not bad as pairing is always learning and broadening our skill set. The one most important skill in his opinion when it comes to pairing is curiosity and the thirst for knowledge and I bring that. :D
  • TODO: fix logging configuration for running tests
  • TODO: make use of Lombok in other classes

October 27 (cont)

  • adapted implementation of entities and more to use Lombok as well
  • found some generated integration tests for the user management implementation were broke (already before using Lombok), presumably after one of the latest security fixes --> TODO

October 31

  • pairing with Simon Berner
  • he was also focusing on coding this year, so we had decided to start our session with sharing our experiences and lessons learned, before moving to a hands-on part on Journey
  • when it comes to personal learning challenges, we shared how tempting it is to do too much and loose focus; time is limited and you can only do so much
  • it helped Simon to focus on things he is passionate about, and that he also wants to present at conferences, like the workshop "Git like a Pro" he is soon giving at Let's Test Southafrica
  • he did a sneak peak into everything, learning new things and trying stuff out without any pressure involved
  • we shared our experiences regarding submitting papers at conferences for talks or workshops; we shared how awesome it is that people like Lisa Crispin helps new voices to increase their visibility by pairing up with them; it's hard to kick-start your journey into speaking and this kind of support, sponsorship and encouragement helps immensely
  • we had paired already last year on my Testing Tour, and Simon shared it was a great experience; scary at first to suddenly pair with a stranger, yet now I'm already no stranger anymore and it feels natural to pair; it really helps to share the same interests and work together
  • we talked about the things Simon tried out (check out Simon's GitHub account!); he focused on small examples, learning by doing without having to invest too much time into things; this freedom really helped him
  • sometimes we go to bed frustrated that things don't work as we wanted them to work, and then the next day we catch ourselves thinking: "wait a second..." and we know the solution; you can't force these things to happen, sometimes you need to defocus; despite us asking ourselves "all the others can do it... is it me??", we know that the job is 80% searching, exploring, experimenting, talking with people, and only a tiny part is actual coding
  • we talked about testing, our roles at our companies, how fascinating our job is and how many opportunities it offers; and how often we have to share this with people who are not aware of what this job is about
  • we talked about pairing and mobbing and getting people to give it a try; it's fascinating that with some people this kind of collaboration becomes very natural and you get into a super productive and effective flow; yet with some people you cannot; some people also strongly resist to give things a try, and you cannot force people into something
  • we decided it's time to start the hands-on part
  • I walked him through the Journey project, explaining what JHipster provided when generating the base project, and showed him the project board with the tasks I want to work on
  • Simon instantly went for the top item on the todo list: "journal entries should show the related challenge tag instead of id" I hesitated and warned him this one might be too big for our limited time, yet he said: "why not, let's try it!"
  • we explored the code for the journal entry edit dialog, trying to understand where the challenge ids are coming from and how the drop-down list is populated
  • Simon shared that he really values good documentation, especially in these kind of situations; here we don't have any and also the generated code itself is hard to understand and not self-explanatory
  • Simon shared that when exploring an unknown code base he often deletes things to see where they get used and if they are needed
  • we shared knowledge regarding Visual Studio Code features as it's a newer IDE to both of us; Simon really likes it to be lightweight and having a great ecosystem; he likes IntelliJ for their advanced features like search, yet it's rather the heavy lifter
  • we went slowly step by step, and discovered a method named "trackChallengeById" in the journal update component which returned the id of a challenge; we changed it to return its tag instead, yet this did not do the trick yet; we found the method to be used in the related template, where we also needed to change the call to tag - and it worked!!
  • Retrospective:
    • Lisi: Thank you so much! Especially for the courage of giving this task a try. Amazing. Just within 30 minutes we solved a challenge I spent already many hours on. This clearly shows the benefits of pairing!
    • Simon: This was great! Really happy we could solve it, even when exploring the code for the first time. Let's pair again! 
  • TODO: solve the task for the rest of the views as well :)

Besides that?

I've had the honor to present what I learned on my #CodeConfident challenge at TestBash Manchester - an amazing experience. During the conference's open space, we formed a mob and worked on a coding challenge together. Our goal was to experience this collaborative approach and practice our development skills hands-on together. We made progress but did not manage to finish the challenge in the limited time of the open space. The thing is: I couldn't let go working on the it myself! I did not take notes for this one, and yet I'm still trying to figure out how to upgrade MobTime to latest open Java and JavaFx versions in order to then change it's preset alarm tone (or offer more options). Unfortunately I couldn't get it to run (yet). Still, I learned a bunch on this challenge already - and it's yet another project I'd love to pair (or mob again) on! :)

Sunday, October 6, 2019

TestBash Manchester 2019 - About Learning, Daring and Enjoying

Looking back at the last week of TestBash Manchester 2019, I have to say this was an absolutely amazing week! Thoroughly enjoyed this experience. Brace yourself for quite a lengthy report. ;-)

Arriving in Great Company

Already when boarding my plane to Manchester there was the first nice surprise. Sven Schirmer was going to TestBash as well! The conferring part of conferences officially started for me then.

After arriving at the hotel, we joined the first meetup preceding the workshop days. I really enjoy meeting a few people already before the official program starts. This gets me into the mood and it's not as overwhelming as "meeting" everyone at once.

Together with Sven, Richard Bradshaw, Mark Winteringham, Maaike Brinkhof, Göran KeroRick Scott and several more we had a great dinner and lovely conversations. I felt emotionally prepared for the workshop day.

Learning: Workshop Day

I really enjoy workshops for learning, especially when they are hands-on and interactive. This time, I could finally catch a workshop I wanted to join for some time now: "Using Dependency Mapping To Enhance Testing Techniques" by Melissa Eadon. It was great! Exactly met my expectations. Mel emphasized how dependencies are a huge risk in modern development and how everything is about communication. In working groups, each of us drew a dependency map of their team, product or a problem they had. The rest asked questions for clarifications, trying to identify where the problems are and what could be done about them. As simple as it may sound, this visualization exercise was extremely powerful. It helped to get the thoughts and knowledge we have from our brains onto paper so we could discuss about it together. It triggered us to describe the situation while drawing, and the resulting questions caused interesting insights. For example, I realized what part of our product I had nearly forgotten to draw at all; and indeed, this is a part that's not well covered with testing. Another example: by casually answering a question I realized that I had neglected testing one of the most crucial parts of our application! The identified risk areas are a great input to focus further exploratory testing on. Besides that, this exercise would be very interesting to do with lots of people in my team and also across teams. Everyone has a different mental model and this makes it visible, therefore serving as discussion base. As a plus: it's also a relationship-building exercise!

In the afternoon I had the chance to see Emily Bache in action in her workshop "Getting High Coverage Regression Tests Quickly". She introduced us to the concept of approval testing and its characteristics. How you can still do test-driven development, how to handle test failures, how code coverage and mutation testing can guide us. This approach especially comes in handy when it comes to legacy code, yet is also convenient for new projects. The best part of the workshop: Emily provided us four practice projects to work on, in the language of our choosing. Trying out approval testing and covering existing code with tests. One of the persons at my table could not get their IDE setup to work for approval tests, so we decided to pair up. Even better: he was familiar with strong-style pairing and showed great communication skills, so it was a real pleasure to pair up and solve the challenges together. It's just a lot more fun this way! :)

For the evening, I had missed the opportunity to sign up for another meetup, hosted at the BBC. So I ended up with plan B (which should have been plan A in the first place): dinner with Sven, Maaike, Göran and Emily! I'm so much enjoying spending valuable time with my community peers.

After dinner, we decided to go for a drink to slowly end the day. And suddenly, to my huge surprise, Patrick Prill was standing in the room! He is the one I test all my talks with at a local meetup. Same about two weeks ago. Yet somehow I haven't asked him if he would also be at TestBash Manchester - I should have! This was an absolutely nice surprise. On the one hand because I really appreciate him as one of the kindest and most insightful human beings on earth. And on the other hand because of my talk. Granted, his presence also made me a tad more nervous, and yet I knew this would be the chance to learn whether I managed to improve my talk. What a nice surprise!

Daring: Conference Day

Then the time had come. The main conference started. Our compère: the great Leigh Rathbone! Once more I sketchnoted most of the talks - besides the one directly before mine. Such a pity, I would have loved to learn from Areti Panou's story! Yet I knew I wouldn't be able to focus. I did so many conference sessions already, and yet I can be certain I will be super nervous just before, and super distracted right after my own session (so I didn't catch the 99 second talks either). I learned not to beat myself up because of that anymore.
This time I went last - a great honor, yet my nerves were on edge and showing. Also, this time it was not only a talk for me - there was an even more daring part included as well. On the one hand I shared my lessons learned on my #CodeConfident journey, and on the other hand I proved my increased confidence live on stage with my very first live coding demo! Small and short, and yet really extending my comfort zone. The demo gods were kind to me and all went well, so next time I'm ready for more! For here, I'll let the tweets speak for themselves.
After the conference we all came together for a meetup at a nearby location. Great food, even more great conversations - yet it was extremely noisy and I felt drained. So, a shorter evening for once; the next day another conference day waited for me! Time to get some rest.

Enjoying: Test.bash();

The next day it was time for the second edition of Test.bash(); overall, and my first one. It can be considered a more technical and hands-on focused version of TestBash - and I really enjoyed it. Lots of great talks all over the place, lots of live demos, too. Hosted by the wonderfully energetic Gwen Diagram! I got out of the day with more knowledge and even feeling refreshed.
Right after a great conference day, we all continued with a meetup hosted directly at our venue, The Lowry. Not only that, it was indeed inside its gallery! I love art, so this was a special treat. I thoroughly enjoyed the opportunity to have both great conversations as well as some quiet contemplating time when looking at the great paintings and sketches by this artist from Manchester. Simply awesome. I loved this.

And once more: A great dinner with great friends. Elizabeth Zagroba, Joep Schuurkes, Patrick, Sven, and Geert van de Lisdonk. Thank you for a great time

Open Space

Only one more day to go before TestBash Manchester was finally over. I really looked forward to the open space day, hoping I still had enough energy. Lots of great topics made this easy, I learned a bunch.
  • "Testing without touching" by Joep Schuurkes and Elizabeth Zagroba. What a great session! Our group generated lots of great testing ideas and assumptions to verify, just by looking at the first page of an application. Great exercise, looking forward to taking this back with me to work.
  • "Threat Modelling" by Saskia Coplans & Jay Harris. Always awesome to learn from great security people. This time we threat modeled a service of our choosing to learn which requirements to fulfill to mitigate those threats.
  • "Motivation & Productivity" by Rick Scott. Great exchange about all things productivity hacks and self-motivation. It's not easy to get things done, and everyone is different so we need to learn what works for us.
  • "Accessibility Quiz" by Ady Stokes. This was super insightful! Ady handed out a page full of UI examples illustrating different types of accessibility issues. Great way to learn more how we can include all people and at the same time make the lives of everyone easier!
  • "Tester Growth" by Melissa Eadon. Mel asked all of us three questions: Where do you want to go? Where do you come from? How did you change? Great opportunity to reflect on our own situation as well as listen to the experiences and wishes of my peers.
  • "Practice Mob" session by me, additionally initiated by Joep Schuurkes and Elizabeth Zagroba (who mob with their testing community once a week). We wanted to work on something hands-on, practicing together - using the opportunity of having your peers in one place. Most people were simply interested to experience a mob for the first time, so we went for Joep's idea: let's extend MobTime, my (so far) favorite mob timer! Its drawback: an annoying alarm tone. On our endeavor to change it, we faced several setup issues as the project had not been maintained anymore for longer. Still, the session was great, we made progress, and most of all: so much knowledge was shared within just two hours of mobbing. Loved it!
How to end this evening best? Of course with a nice dinner and some goodbye drinks, with Mel, Joep, Elizabeth, Rick and Geert.

Now this leaves me only with one more thing to say: a huge THANK YOU to organizers and volunteers! You did an amazing job. This was my favorite TestBash so far, and I'll remember it dearly.