1

I was asked to optimize the dependencies of a big maven project, i.e. find and remove any and all dependencies that are now being used by the project. Therefore I chose the plugin maven-dependency-analysis:

  <plugin>
        <artifactId>maven-dependency-plugin</artifactId>
        <version>3.1.1</version>
        <dependencies>
            <dependency>
                <groupId>org.apache.maven.shared</groupId>
                <artifactId>maven-dependency-analyzer</artifactId>
                <version>1.11.1</version>
            </dependency>
        </dependencies>
    </plugin>

to output a report of maven dependencies that are not being used, by executing the command mvn dependency:analyze -DignoreNonCompile=true. I found that most dependencies reported under the "Unused declared dependencies found" section could be removed without any sort of problem, however there were a few dependences whose removal caused compilation errors. I was wondering why such dependencies are included in the "Unused declared dependencies found" section and if there is something that I'm missing?

Thank you for your attention.

João Matos
  • 6,102
  • 5
  • 41
  • 76

1 Answers1

1

It's important to understand how this mechanism works:

Maven uses Object WebASM framework that analyzes your raw bytecode. It goes through all your classes and then builds a list of all classes that these reference.

But you can use a class in different ways, typically using reflection (and there are also some things that are not compiled into class files: https://maven.apache.org/plugins/maven-dependency-plugin/faq.html#unused) and this mechanism cannot detect that.

jirka.pinkas
  • 918
  • 6
  • 21
  • [Lombok](https://stackoverflow.com/questions/46407450/incorrect-results-in-mvn-dependencyanalyze) and [Spring Boot](https://stackoverflow.com/questions/37528928/spring-boot-core-dependencies-seen-as-unused-by-maven-dependency-plugin) are some examples of false positives. – Leponzo Jul 26 '22 at 16:45