A maven plugin that tracks project dependencies excluding transitive dependencies and then writes them to a file as an artifact in the build directory.
By default, the plugin executes at the compile
phase and is the earliest phase at which it can be configured to run
to discover dependencies, for packaging types where compile phase might not apply, usually prepare-package
or
packaging
should be good to use otherwise you will have to determine the appropriate one.
The generated dependency report artifact can be found in the build directory(target
) and will have a name ending with
-dependencies.txt
i.e. ${project.build.finalName}-dependencies.txt
The contents of the generated artifact file are interpreted as, each line is a key value pair separated by the equals
sign for each dependency where the key is of the form groupId:artifactId:type:version
or
groupId:artifactId:type:classifier:version
for dependencies with a classifier, then the value is the SHA-1 hash for
the actual dependency file e.g. a jar file, the entries are always sorted by their keys alphabetically.
Below is an example of the artifact file's contents for a project with only 3 dependencies
org.slf4j:slf4j-api:jar:2.0.6=88c40d8b4f33326f19a7d3c0aaf2c7e8721d4953
org.slf4j:slf4j-api:test-jar:tests:2.0.6=88c40d8b4f33326f19a7d3c0aaf2c7e8721d4953
org.slf4j:slf4j-nop:jar:1.0.0-SNAPSHOT=bd0a88459dd8c99bb9d2474965c1aa36c7d66fb
The plugin is also capable of comparing the generated dependency report of the current build with the most recent one
deployed to a remote repository, this repository would be the one defined in the dependencyManagement
section of the
project's POM file. To enable comparison of reports, you set the plugin's compare
configuration option to true in the
POM file.
The result of the comparison is written to a report in the build directorytarget
) and will have a name ending with
-comparison.txt
i.e. ${project.build.finalName}-comparison.txt
. The contents of the comparison artifact file are
interpreted as; 0 for identical reports, 1 for reports that are not identical and -1 when no report is found in the
remote repository, a result of -1 typically happens upon the first build of the project.
ATTENTION!!
It's highly recommended to run your builds with update-snapshots
flag set to true, that way the latest snapshot
dependency builds are downloaded and used to generate the dependency report artifact. For builds that run in a 'clean'
environment everytime e.g. on a CI server where a new container is used for every build then this might not be necessary.
Add the configuration below to your project POM file
<plugin>
<groupId>net.mekomsolutions.maven.plugin</groupId>
<artifactId>dependency-tracker-maven-plugin</artifactId>
<version>${pluginVersion}</version>
<executions>
<execution>
<goals>
<goal>track</goal>
</goals>
</execution>
</executions>
</plugin>
Replace ${pluginVersion}
with an actual plugin version, and then build your project.
To compare dependency reports, the configuration would be as below,
<plugin>
<groupId>net.mekomsolutions.maven.plugin</groupId>
<artifactId>dependency-tracker-maven-plugin</artifactId>
<version>${pluginVersion}</version>
<configuration>
<compare>true</compare>
</configuration>
<executions>
<execution>
<goals>
<goal>track</goal>
</goals>
</execution>
</executions>
</plugin>
Example command to run from the root of your project
mvn clean compile net.mekomsolutions.maven.plugin:dependency-tracker-maven-plugin:track -U
Note that we set the U
flag which forces snapshot updates, you can replace the compile
goal with any other
appropriate goal depending on your packaging type.