Large Java projects often struggle to get their dependencies right. We share best practices and Maven plugins that help solving maintenance problems and help keep the build healthy.
Maven supports defining project dependency versions on different locations: in project
/ dependencyManagement
/ dependencies
and project
/ dependencies
.
Don’t: define versions in project
/ dependencies
.
Do: define versions in project
/ dependencyManagement
/ dependencies
.
For multi-module Maven projects, define versions in dependencyManagement
of the project root pom.xml
.
Every developer working with Maven projects should understand this. Read Maven Dependencies documentation to learn about the background of this recommendation.
Various projects (such as Spring Framework) have BOM pom files. For dependencies with multiple modules, this ensures that those modules are all of the same version. Concepts are explained in the Maven guide, section Importing Dependencies. Another good introduction is provided by Baeldungs Spring with Maven BOM article.
Some classes are available in multiple dependencies. Having different dependencies with the same classes in one product, can cause huge problems. The version of the class loaded is unpredictable. This can lead to (hard-to-debug) build and runtime errors.
Some causes of how classes get duplicated:
javassist:javassist
, but was moved to org.javassists:javassist
.Google Collections
, has been merged into Google Guava
.Do:
Sometimes one dependency is used multiple times by transitive dependencies. Often happens with common libraries like Guava
, Apache Commons Lang
, Apache Commons IO
etc.
Maven does not choose the correct version automatically. Maven selects the version of the dependency with the shortest path in the dependency tree, which is not always the latest version. In general, what is needed, is the latest version.
Do:
dependencyManagement
in the project root pom.xml
file.Keep your dependencies up-to-date using Versions Maven Plugin. This plugin reduces automates this task, and as libraries are following the semantic versioning principle better and better, this plugin can take this task with less effort of developers.
Always stay up-to-date with the latest minor version of libraries. This saves the product often from vulnerabilities and reduces the chance for incompatibilities when adding more third-party libraries to the project.
Security vulnerabilities are found on daily basis in java libraries. Common Vulnerabilities and Exposures (CVE) of software components are collected by NIST.
There is an OWASP Maven dependency-check plugin, which can check for CVEs. It uses the NIST database as source, and scans Java code and Javascript code in the full dependency tree.
Do:
Maven provides a plugin that can find out if your project has unused dependencies, or is using dependencies without declaring the dependency itself.
The Maven dependency:analyze goal helps to find those dependencies. Removing unused dependencies is worth spending time on, as it keeps you project as small as possible which makes it easier to adapt to future needs.
Regularly analyze dependencies and see if actual versions resolved are the ones expected.
To view the list of Maven dependencies in a project:
mvn depenency:tree | less
To view the pom.xml with versions of all dependencies actually used:
mvn help:effective-pom | less
For products packaging a WAR or Spring-Boot JAR, you can also check the exploded package, and see if any unexpected libraries are in there.
As you can see, there are many preventive measures available to keep your project healthy.
Looking for help to improve your Maven builds? Let us support you! Mail us at info@squins.com.
We’re looking for new software craftsman to join our company. View our vacancy for Java Developer (in 🇳🇱)
Posted in: Java Maven Architecture SecurityWe've years of experience helping startups and scale-ups to work more efficient by creating apps that are fit their needs.
Let’s talk. We look forward to exploring the opportunity to help your company too.
Go ahead and send us a message. We look forward to exploring the opportunity to help you too.