Best of Foojay.io September 2024 Edition – JVM Weekly vol. 102

In May, I announced that JVM Weekly had joined the Foojay.io family. Foojay.io is a dynamic, community-driven platform for OpenJDK users, primarily Java and Kotlin enthusiasts. As a hub for the “Friends of OpenJDK,” Foojay.io gathers a rich collection of articles written by industry experts and active community members, offering valuable insights into the latest trends, tools, and practices within the OpenJDK ecosystem.

Instead of selecting specific articles and dedicating entire sections to them in the weekly newsletter, I focus once a month on choosing a few interesting articles that might be useful or, at the very least, broaden your horizons by presenting intriguing practices or tools.

Foojay Podcast #58: How Java Developers Can Secure Their Code

Let’s start, as always, with the Foojay Podcast. In the latest episode, How Java Developers Can Secure Their Code (#58), Frank Delporte ?????? Brian V. from Snyk , Erik Costlow from Azul , and Jonathan Vila ?? ?? from Sonar discuss persistent threats like Log4Shell and SQL injection. They highlight the problems with outdated dependencies and the responsibility to keep them updated, while also discussing tools that help identify security vulnerabilities and analyzing how unused code impacts application security.

Additionally, as supplementary material for the episode, you can read the article by Brian The Persistent Threat: Why Major Vulnerabilities Like Log4Shell and Spring4Shell Remain Significant. The article emphasizes the serious negligence of continuously using vulnerable versions of Log4j and Spring Framework libraries in many projects, despite the widely publicized security flaws of Log4Shell and Spring4Shell. Snyk showed that Spring4Shell can be exploited on various platforms, such as Glassfish, proving that even seemingly less dangerous vulnerabilities can lead to serious security issues. The proposed solution is, of course, simple—purchase a license for snyk.io. However, with a hint of sarcasm, this is one of the many real-life examples where a key problem can at least be postponed by throwing money at it.

How to Profile a Performance Issue Using Spring Boot Profiling Tools

Staying on the topic of monitoring tools, the article How to Profile a Performance Issue Using Spring Boot Profiling Tools by Nasim Salmany focuses on the issue of monitoring and profiling the performance of Spring Boot applications. The article highlights key scenarios where profiling tools are essential: high latency, high CPU usage, memory issues, slow database queries, errors, and increased failure rates. Analyzing these cases allows identifying bottlenecks and improving the overall performance of the application.

The text discusses the most popular tools for profiling Spring Boot applications, such as JProfiler, YourKit (which provide deep insights into CPU and memory usage, allowing the identification and fixing of issues like memory leaks and inefficient methods), VisualVM (which enables real-time application monitoring, offering heap dump analysis, among others), as well as built-in Spring Boot tools: Actuator and Micrometer. Actuator provides application monitoring and management functions, offering endpoints that provide information about application health, memory usage statistics, CPU usage, and HTTP queries, while Micrometer allows the collection of metrics and their integration with monitoring systems such as Prometheus or Grafana. On the other hand, Digma (which seem to be often mentioned on foojay.io), introduces the concept of “continuous feedback” into the development cycle, allowing early detection and analysis of performance issues directly in the development environment.

TornadoVM for RISC-V Accelerators

What would a month on foojay.io be without Tornado, right? And each month, it becomes more niche... and seemingly more interesting ??

The article TornadoVM for RISC-V Accelerators by Juan Fumero presents how RISC-V, an open standard Instruction Set Architecture (ISA), provides flexibility in designing custom processors, particularly useful in AI and machine learning applications. RISC-V is not a ready-made processor but rather a model of a processor (ISA) based on the philosophy of delivering a strictly specialized set of instructions.

To effectively utilize this hardware solution, the oneAPI Construction Kit (OCK) was introduced—an open-source framework that maps open standards like SYCL and OpenCL onto RISC-V accelerators. OCK allows developers to define and implement domain-specific instructions, facilitating software execution on modular processors.

The article explains how TornadoVM, a parallel programming framework in Java, can use OCK to accelerate tasks in Java on RISC-V chips using vector extensions to maximize performance. Additionally, it provides detailed instructions on setting up OCK and TornadoVM to operate on RISC-V accelerators and use the Codeplay Reference Silicon (RefSi) simulator for RISC-V hardware emulation. It also describes the steps necessary to configure the environment, install the required components, and run a sample program in Java on a RISC-V device using TornadoVM.

Run True-to-Production Tests on Your MicroProfile and Jakarta EE Applications

Now, we have a follow-up to last month’s article—we will return to one of the principles of creating a 12-Factor (or 15-Factor) Application: testing in an environment as close to production as possible.

While testing applications in conditions as close to production has become crucial nowadays, traditionally (and probably in many cases daily), developers struggle with replicating the production environment locally. The article Run True-to-Production Tests on Your MicroProfile and Jakarta EE Applications by Grace Jansen presents Testcontainers—a framework likely familiar to more “seasoned” readers—as a solution to facilitate this task. Testcontainers provide containers as resources during tests, ensuring consistent and portable testing environments, especially useful for applications with external dependencies such as databases, message queues, or network services.

One of the main advantages of Testcontainers is support for a wide range of Docker containers, integration with popular testing frameworks (JUnit, TestNG, Spock), and a simple, declarative configuration method. The framework also supports the lifecycle of containers, automatically starting them before tests and stopping them afterward, ensuring a clean and isolated testing environment. Additionally, built-in waiting strategies prevent tests from running before the containers are fully configured. The article shows how to use Testcontainers in Java applications, offering interactive guides that help configure multiple containers, create a REST client for tests, and simulate the production environment.

P.S.: If you would like to have your say in updating the 12-Factor Application methodology, Heroku is looking for support on this topic.

Press the Easy Button: Organize a Virtual Conference Schedule with a Graph Database

For a change of pace from pure Java, I have a description of an interesting problem that was solved using graph databases.

In Press the Easy Button: Organize a Virtual Conference Schedule with a Graph Database, Jennifer Reif describe creating the schedule for the NODES 2024 conference, organized by neo4j, as an extremely complex task, mainly due to its global, virtual nature. The event included live presentations in various time zones and focused on diverse topics related to graphs, artificial intelligence, applications, and data science. There were 200 sessions divided into four thematic tracks across three main regions: Asia/Pacific, Europe, and America. The need to coordinate the duration of the sessions (15 and 30 minutes) and adjust their level of advancement (from introductory to advanced) added further challenges. To simplify the process, the authors decided to use their graph database—Neo4j—as a tool for managing and optimizing the schedule.

The Sessionize platform, though offering many features, does not allow full integration and visualization of all data in one place, complicating the planning process of such a large and complex conference. The authors used the option to export data from Sessionize to Excel files, then converted them to CSV format to facilitate their import into Neo4j. The import included information about the sessions, speakers, ratings, and connections between them. Using Neo4j’s graph approach, it was possible to combine various data elements into a coherent whole. The authors built a network of relationships between nodes, for example, indicating which sessions are led by specific speakers or in which time zone they are held.

In practice, this approach solved many organizational problems. Thanks to appropriately constructed queries, it was easy to get a list of sessions from selected regions with a specific rating threshold, significantly simplifying the process of building the schedule. I think that if you are interested in graph databases and do not have much experience with them yet, this will be a really good starting point.

Exploring New Features in JDK 23: Factory Pattern with Flexible Constructor Bodies with JEP-482

And as in previous editions of Foojay reviews, let’s end with a detailed description of one of the JEPs.

In his article Exploring New Features in JDK 23: Factory Pattern with Flexible Constructor Bodies with JEP-482, Miroslav (Miro) Wengner describes how JEP 482: Flexible Constructor Bodies and the greater flexibility it brings in object creation can significantly impact simplifying creational patterns like the factory method. The article presents an example of using the factory pattern to create objects of the VehicleSensor interface using the VehicleSensorFactory class.

Using JEP-482 allows more flexible management of constructor arguments and appropriately reacting to unexpected states before invoking super(...) or this(...). As a result, the constructor itself handles the internal logic, transferring the responsibility from the creational pattern to the object itself. This makes the code more readable and better suited to the functional programming style. A very nice example of "JDK 23 Applied."

On Foojay.io, there is also an entire article dedicated to the various changes in Java 23 written by Hanno Embregts. Given that I already explored this topic here two weeks ago, most readers are probably familiar with it, but those wanting to get a “second opinion” can take a look.

And next week... next week's edition will be on Friday, because we have Devoxx Belgium, where I will have the opportunity to talk about changes in the JVM aimed at better support for model inference.

If you’ll be at the conference – come by to give a high-five!