Tracing jars from BOM - spring

Is there an easy way for me to trace a jar back to which BOM artifact it is from?
I need to upgrade org.dom4j:dom4j, but I need to figure out which of the artifact brings it in. Is there a way to print out all the transitive dependencies in Gradle? Thanks!

Depending on if you use gradle wrapper or not, gradlew dependencies or gradle dependencies should give you the dependency tree, but it doesnt show which BOM sets a specific version.
But it will show you if a dependency forces another dependency to chance its expected version.
I would recommend pipe it to a file to read easier (windows == gradle dependencies > dependencies.txt)

Related

Build gradle dependency tree without downloading jars

A jar has been removed from organization's repository for being unsafe, but we can download its pom. We are trying to figure which dependencies of a project are dependent on it. Tried running gradle dependencies but that doesn't complete due to the same missing jar.
Is there any gradle command or something similar to create dependency tree for the project without trying to download jars? As far as I understand, creating dependency tree should only require POMs. Please correct me if I am wrong. I am somewhat new with gradle.

Issues with transitive dependency of a jar file - gradle

I am using gradle for dependency resolution but we rely on a library with cannot be resolved from a repo. As a workaround they asked us to use a workaround like :
implementation (files($network-file-path/lib.jar))
but this in turn is bringing a lot of transitive dependencies and causing a lot of trouble. I am very new to gradle and could not find a fix.
Is there a way through I can omit all the transitive dependencies of this specific jar ?
We are using gradle version 7.3.3

How to see transitive dependencies for mvnrepository.com?

Let's say I'm interested in using https://mvnrepository.com/artifact/org.apache.avro/avro. How can I find which other dependencies avro will bring in and which version of those dependencies it will bring in. I know I can manually add the dependency to a project's link pom.xml and run
mvn dependency:tree | tee tree.txt
to see which dependencies are used but this requires always fixing up compilation errors and there should be an easier way.
I was wondering if there's any way to check which transitive dependencies that a parent dependency will bring in using a website that will straight up mention that info.
https://mvnrepository.com/ itself has the dependencies information just select a version and scroll down to see list of dependencies.

Is there a way to detect if a new dependency has been added to a maven project since it's previous build/release?

When a transitive dependency changes, there is no direct change in the project I am working on. When I update a dependency that itself brings in new dependencies since its previous version, transitive dependencies are difficult to track and it would be good to know if there is any new library added to the project I am building or the version of an existing transitive dependency has changed.
Is there a maven plugin that can detect a dependency change like this or a maven flag?
Use mvn dependency:list -Dsort=true > file to generate all dependencies into file. After POM changes generate second file. Then diff files to see changes
If you don't do any changes also transitive dependencies will not change. This can happen only if you change POM. For example you change version of used dependency.
If a library changes dependencies, version of the library will increase. To be affected by this changes you would need to use that new version in POM.

Is there a Maven equivalent of "gradle dependencyInsight"?

In gradle, the command gradle dependencyInsight --dependency <artifact-name> prints a reverse dependency graph for a specific artifact.
Is there something equivalent in Maven?
I'm aware of mvn dependency:tree. This is the equivalent of gradle dependencies. However this is not what I'm asking about.
One way is to use filtering with maven dependency plugin
mvn dependency:tree -Dincludes=[groupId]:[artifactId]:[type]:[version]
Check the link, there is an example. The output isn't actually in reverse but it shouldn't be too hard to read it in reverse by yourself.
Eclipse-IDE has some nice features which allows dependencies to tracked without using command line. Open pom.xml, open dependency hierarchy tab and there, dependencies can be filtered. Other IDEs might have similar features as well.

Resources