24

I want to use a library that has the following dependency:

<dependency>
  <groupId>com.google.code.findbugs</groupId>
  <artifactId>annotations</artifactId>
  <version>2.0.3</version>
</dependency>

I read that FindBugs is for static analysis of Java code, so I though it isn't necessary to include in application. Is it safe to exclude the jar with <scope>provided</scope> or with an <exclusion>...</exclusion>?

One reason to exclude it is that there is a company policy against (L)GPL licence.

holmis83
  • 15,922
  • 5
  • 82
  • 83
  • You are saying that the library you want to use pulls Findbugs in as a transitive dependency? Also - could you clarify what you mean by 'safe?' – user944849 Nov 11 '14 at 15:17
  • @user944849 Yes, findbugs becomes a transitive dependency in my project. With safe I mean that library should work and print no errors about missing classes. – holmis83 Nov 11 '14 at 15:27

2 Answers2

22

Yes, you can safely exclude this library. It contains only annotations which do not need to be present at runtime. Take care to have them available for the FindBugs analysis, though.

Note that you should also list jsr305.jar, like this:

<dependency>
    <groupId>com.google.code.findbugs</groupId>
    <artifactId>annotations</artifactId>
    <version>3.0.2</version>
    <scope>provided</scope>
</dependency>
<dependency>
    <groupId>com.google.code.findbugs</groupId>
    <artifactId>jsr305</artifactId>
    <version>3.0.2</version>
    <scope>provided</scope>
</dependency>

Both JARs are required to make these annotations work.

Check the most recent findbugs version in Maven Central.

FindBugs is provided under the LGPL, so there should not be any problems for your company. Also, you are merely using FindBugs; you are not developing something derived from FindBugs.

barfuin
  • 16,865
  • 10
  • 85
  • 132
2

In theory, it should be entirely safe (as defined in the OP's clarifying comment) to exclude the Findbugs transitive dependency. If used correctly, Findbugs should only be used when building the library, not using it. It's likely that someone forgot to add <scope>test</scope> to the Findbugs dependency.

So - go ahead and try the exclusion. Run the application. Do you get classpath errors, application functionality related to the library that doesn't work, or see messages in the logs that seem to be due to not having Findbugs available? If the answer is yes I personally would rethink using this particular library in my application, and would try to find an alternative.

Also, congratulations on doing the classpath check up front! As a general practice, it is a great idea to do what you have done every time you include a library in your application: add the library, then check what other transitive dependencies it brings, and do any necessary classpath clean-up at the start. When I do this I find it makes my debugging sessions much shorter.

user944849
  • 14,524
  • 2
  • 61
  • 83
  • 10
    Note to anyone else who comes along, it is NOT SAFE to exclude the library by omitting it from the POM. It needs to be there, but it should have `scope=provided`. I read this answer too fast, excluded it from the POM entirely, and then had problems. – Ned Twigg May 13 '15 at 18:52