Skip to content

Sounie/dependency-check

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

41 Commits

gradle/wrapper

gradle/wrapper

 
 

src

src

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

build.gradle

build.gradle

 
 

generate-pom.sh

generate-pom.sh

 
 

gradlew

gradlew

 
 

gradlew.bat

gradlew.bat

 
 

pom.xml

pom.xml

 
 

settings.gradle

settings.gradle

 
 

Repository files navigation

Dependency Checker

Example of checking whether an application includes a dependency on particular packages.

Dependencies of this project

  • Java 11
  • Junit for unit tests.
  • ClassGraph for scanning the code to build up relations.
  • Gradlew for building (the pom.xml file is generated to allow Github to detect dependencies - don't expect to be able to build with maven).

Motivation

Some Java libraries and frameworks specify a broad range of dependencies. Sometimes those dependencies are only required for a subset of the uses of the library. Sometimes the dependencies clash with a version of the same library that an application already includes.

Maven, Gradle etc. allow us to specify some exclusions when bringing in a dependency.

Wouldn't it be nice if we could have confidence that our application will not break at runtime when some untested path through a library is reached?

Version history

Current implementation

  • Recursively checks from initial package, checking whether any dependency exists that would introduce a class from one of the unwanted packages, or any sub-package.
  • Unit tests attempt to check whether code that references apache hadoop mapreduce functionality would lead to the Jersey server or Jersey packages that are included as dependencies of that hadoop client artifact.

First attempt

  • Just starts from a specified package, then recursively steps through the detected dependencies and accumulates the class names and checks whether a class is in one of the specified unwanted packages. A single object with 2 unit tests. Not set up as a distributable artifact.

Known limitations

  • The recursive approach to accumulating dependency class information could potentially run out of stack.
  • Won't pick up on dependencies that are brought in by reflection, including dependency injection frameworks driven by classpath scanning or XML files. e.g. if your code specifies an interface, then the framework detects an implementation in your classpath and wires it in at runtime, the compile time checking applied in this system wouldn't pick that up.
  • If a dependency brings in is dependencies as "shaded" classes, then those will not match against our specified exclusions. This occurred as a potential gotcha when I read the documentation for hadoop 3.2.0.

About

Check whether some Java code is transitively dependent on some other packages.

Topics

java dependencies-checking

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages