Maven Shared Components
  1. Maven Shared Components
  2. MSHARED-47

maven-dependency-analyzer finds too many used dependencies

    Details

    • Type: Bug Bug
    • Status: Open Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None
    • Patch Submitted:
      Yes
    • Number of attachments :
      1

      Description

      I'll just quote the post from our internal mailing list:

      "I don't like that plugin - it has reported dozens of missing dependencies that were unnecessary for me, so I stopped using it. The most common example is when you have a dependency on a project that has a dependency on Xerces, Xalan or some other XML project and your project has java.xml.* imports, which you're resolving from the JDK, it gives a higher priority to external dependencies, even if another project introduces them, than it does to JDK libraries."

      I've got a (possible) patch coming up in a few...

        Issue Links

          Activity

          Hide
          Jerrimiah Nance added a comment - - edited

          I'm kind of surprised, that this doesn't bother more people.
          failOnWarning (http://maven.apache.org/plugins/maven-dependency-plugin/analyze-mojo.html#failOnWarning) is pretty useless if builds constantly fail because of incorrectly identified dependencies.

          Example

          I have to depend on large legacy projects that I can't really modify. Most of these projects have dependencies on, for instance

          <dependency>
          	<groupId>xml-apis</groupId>
          	<artifactId>xml-apis</artifactId>
          	<version>1.3.04</version>
          </dependency>
          

          In my own code, I reference javax.xml.transform.Transformer.
          When calling mvn dependency:analyze, maven will bug me that xml-apis is used, but undeclared.

          Until this is fixed "officially", I am using a patched version of maven-dependency-analyzer (using the patch attached to this issue)

          Show
          Jerrimiah Nance added a comment - - edited I'm kind of surprised, that this doesn't bother more people. failOnWarning ( http://maven.apache.org/plugins/maven-dependency-plugin/analyze-mojo.html#failOnWarning ) is pretty useless if builds constantly fail because of incorrectly identified dependencies. Example I have to depend on large legacy projects that I can't really modify. Most of these projects have dependencies on, for instance <dependency> <groupId>xml-apis</groupId> <artifactId>xml-apis</artifactId> <version>1.3.04</version> </dependency> In my own code, I reference javax.xml.transform.Transformer . When calling mvn dependency:analyze , maven will bug me that xml-apis is used, but undeclared. Until this is fixed "officially" , I am using a patched version of maven-dependency-analyzer (using the patch attached to this issue)
          Hide
          Mirko Friedenhagen added a comment -

          Herve,

          I like your solution better, two questions come to my mind:

          • Is there an official list of the JDK's API packages? I see java, javax and maybe some org packages, is this really all?
          • For your solution do you suggest to put the JDK's api package lists into a shared JAR of it's own?

          I never encountered this, however the issue is quite old so maybe should just drop this.

          Show
          Mirko Friedenhagen added a comment - Herve, I like your solution better, two questions come to my mind: Is there an official list of the JDK's API packages? I see java , javax and maybe some org packages, is this really all? For your solution do you suggest to put the JDK's api package lists into a shared JAR of it's own? I never encountered this, however the issue is quite old so maybe should just drop this.
          Hide
          Herve Boutemy added a comment -

          I'm interested in this issue and have a few questions:

          • can you give me an example of such an artifact having a dependency on Xerces? I need to write a unit test
          • parsing the whole jdk does probably take a lot of time and memory: did you try to measure it?

          another idea would be to use JDK's api package list to detect classes to ignore: any objection?

          Show
          Herve Boutemy added a comment - I'm interested in this issue and have a few questions: can you give me an example of such an artifact having a dependency on Xerces? I need to write a unit test parsing the whole jdk does probably take a lot of time and memory: did you try to measure it? another idea would be to use JDK's api package list to detect classes to ignore: any objection?
          Hide
          brianfox brianfox added a comment -

          Cool. We should introduce a flag to the plugin to optionally ignore this, but looks good

          Show
          brianfox brianfox added a comment - Cool. We should introduce a flag to the plugin to optionally ignore this, but looks good

            People

            • Assignee:
              brianfox brianfox
              Reporter:
              Matthew Beermann
            • Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: