maven-dependency-plugin 3.6.+ started to find new 'Used undeclared dependencies found' during dependency:analyze goal

Question

I'm trying to migrate a project from java 11 to 21, for this i need to update the dependency plugin from 3.1.2 to 3.6.+ (the lower one doesn't support 21)

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-dependency-plugin</artifactId>
    <version>3.1.2</version> -> to 3.6.1
    <configuration>
       <failOnWarning>true</failOnWarning>
       <excludeTransitive>true</excludeTransitive>
    </configuration>
</plugin>

But I've found that seems 3.6.+ work a bit differently (even with java 11) it started to find multiple of new "Used undeclared dependencies"

16:42:43:965 [main] [ERROR] Used undeclared dependencies found:
16:42:43:965 [main] [ERROR]    org.springframework:enter code herespring-web:jar:5.3.30:compile

As I know it analyzes a compiled bytecode to find the 'Used undeclared dependencies', but it's wrong: there are no any imports in compiled classes from those libs it found.

I can't get why it happens so? Is it plugin bug? Or am I doing something wrong? Have anybody experienced something like this?

Here is a full reproducible repo of this problem

Answer 1

You can circumvent that problem by using a different versions of the maven-dependency-analyzer like the following:

<build>
    <pluginManagement>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-dependency-plugin</artifactId>
                <version>3.6.1</version>
                <configuration>
                    <failOnWarning>true</failOnWarning>
                </configuration>
                <dependencies>
                    <dependency>
                        <groupId>org.apache.maven.shared</groupId>
                        <artifactId>maven-dependency-analyzer</artifactId>
                        <version>1.13.0</version>
                    </dependency>
                </dependencies>
            </plugin>
        </plugins>
    </pluginManagement>

    <plugins>
        <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-dependency-plugin</artifactId>
            <executions>
                <execution>
                    <id>analyze-dependencies</id>
                    <goals>
                        <goal>analyze-only</goal>
                    </goals>
                </execution>
            </executions>
        </plugin>
    </plugins>
</build>

Answer 2

I am also currently working on the upgrade from java 17 to java 21. I upgraded the maven-dependency-plugin to version 3.6.1, and I currently face the same error: [ERROR] Used undeclared dependencies found: ....

2 workarounds that work are to either:

• Add ignoredUnusedDeclaredDependencies or ignoredDependencies to the configuration of the maven-dependency-plugin. Here is a link that provides more details: https://maven.apache.org/components/plugins/maven-dependency-plugin/examples/exclude-dependencies-from-dependency-analysis.html
• Manually declare the dependency even thought you are not explictly using it