Skip to main content

Proof of value process

With Moderne, you can automate maintenance processes such as framework migrations, security vulnerability fixes, and code quality standardization. Code refactoring work that used to take months and teams of developers can be done in minutes, closing vulnerabilities and saving millions of dollars in software maintenance costs while giving developers substantially more time to focus on delivering business value.

We are often asked how to introduce the power of Moderne to an organization in order to build confidence in the tooling and facilitate a successful paradigm shift for their teams. To start, it's best to focus on lower risk, lower effort, and lower complexity tasks for developers. This might include tasks such as cleaning up code quality issues or addressing isolated CVEs. Once success is shown in these areas, you can build up to more substantial updates, such as minor framework updates or patches, and eventually to more complex code migration work.

The idea is for all of these types of updates to become a continuous process for your organization. Gradually phasing them in over time helps to achieve both technological and cultural change, which ultimately drives adoption.

Proof of value (POV) Steps

  1. The process kicks off by us provisioning an isolated Moderne Platform in the cloud provider and region of your choice. Deployment is fully automated and takes approximately one hour.
  2. After that, you'll need to set up the agent. Please follow the instructions in our on-premise agent configuration doc. The agent is a single docker image or JAR that can run on a Virtual Machine, Kubernetes, or Cloud Foundry. It controls the encryption key and connects to on-prem systems such as your source code manager (SCM) and artifact repository. To ensure the agent functions correctly, you will need to create a read-only service account for your artifact repository and your SCM. This will allow developers to authenticate with your SCM for access control and commits/PRs (if commits are enabled for your tenant). The installation process typically takes less than an hour once the service accounts and SCM configurations are in place.
  3. To enable SSO for Moderne, you will need to connect to your Identity Provider (IdP). This is done in a 30-minute meeting with Moderne to exchange metadata. If requested, a username/password can also be used during the POV process instead of SSO.
  4. Next, you'll need to set up the ingestion pipeline. This pipeline will build and publish LST artifacts for the repositories you specify to your artifact repository. From there, the Moderne agent will find these LST artifacts, encrypt them, and ship them to the Moderne cloud.
    • The more repositories you add and the more diverse they are, the easier it is to demonstrate value. Customers typically start with 50-100 repositories.
    • No changes are required to the repositories themselves (such as installing build plugins).
  5. With all of that done, you're now ready to run some recipes. Below, we'll provide some suggestions for recipes to run. The links will take you to the Moderne SaaS where you can run the recipes on a variety of open-source repositories. You will need to sign in to view and run recipes.
  6. After you run recipes, you'll generate some data tables and some visualizations.

Recipes to run

The recipes below are listed in order of increasing complexity. You can click the links to run them directly on the Moderne Platform. Alternatively, you can run the same recipes using the CLI.

Major migrations are complex transformations consisting of multiple individual recipes. At some point, these transformations represent one-off use cases and there are diminishing returns from trying to automate them fully. Mostly, they will lift your applications 80-90% of the way to completion with the remainder requiring some manual actions expected to be taken by developers.

CLI command reference

RecipeCLI command
Common static analysis issuesmod run . --recipe CommonStaticAnalysis
Parameterize SLF4J's logging statementsmod run . --recipe ParameterizedLogging
Enhances logging of exceptionsmod run . --recipe CompleteExceptionLogging
Upgrade Maven dependency versionmod run . --recipe UpgradeDependencyVersion -P "groupId=com.fasterxml.jackson*" -P "artifactId=jackson-module*" -P "newVersion=29.X" -P "versionPattern='-jre'" -P "retainVersions=com.jcraft:jsch"
Exclude Maven dependencymod run . --recipe ExcludeDependency -P "groupId=org.junit.vintage" -P "junit-vintage-engine" -P "scope=compile"
Remove redundant explicit dependency and plugin versionsmod run . --recipe RemoveRedundantDependencyVersions
Dependency insight for Gradle and Mavenmod run . --recipe DependencyInsight -P groupIdPattern='com.fasterxml.jackson*' -P artifactIdPattern='jackson*'
Update Gradle wrappermod run . --recipe UpdateGradleWrapper
Update a Gradle plugin by idmod run . --recipe UpgradePluginVersion -P "pluginIdPattern=com.jfrog.bintray" -P "newVersion=29.X" -P "versionPattern='-jre'"
Find secretsmod run . --recipe FindSecrets
Secure randommod run . --recipe SecureRandom
Java security best practicesmod run . --recipe JavaSecurityBestPractices
Remediate vulnerabilities from the OWASP Top Tenmod run . --recipe OwaspTopTen
Find and fix vulnerable dependenciesmod run . --recipe DependencyVulnerabilityCheck -P scope='runtime' -P overrideTransitive=true -P maximumUpgradeDelta='patch'
JUnit Jupiter best practicesmod run . --recipe JUnit5BestPractices
Mockito 5.x upgrademod run . --recipe Mockito1to5Migration
AssertJ best practicesmod run . --recipe Assertj
Migrate to Java 11mod run . --recipe Java8toJava11
Migrate to Java 21mod run . --recipe UpgradeToJava21
Migrate to Spring Boot 2.7mod run . --recipe UpgradeSpringBoot_2_7
Spring Boot 3.4 best practicesmod run . --recipe SpringBoot3BestPractices

Impact analysis

Another substantial use case worth testing is impact analysis. When adding new functionality or fixing a bug, it's often times good to think about what the consequences would be. While you could make a change and see who yells at you, it's generally better if you take the time to do your due diligence and figure out what's going to happen.

Below are some recipes that you can use to help you with impact analysis as well as a detailed video that will walk you through using these recipes.

Recipes to run