[MEDP-964] unconditionally ignore dependencies known to be loaded by reflection (#1492)

elharo · web-flow · commit 953f412d4ceb · 2025-07-07T12:44:44.000Z
* unconditionally ignore dependencies known to be loaded by reflection
* docs
diff --git a/src/main/java/org/apache/maven/plugins/dependency/analyze/AbstractAnalyzeMojo.java b/src/main/java/org/apache/maven/plugins/dependency/analyze/AbstractAnalyzeMojo.java
@@ -78,15 +78,15 @@ public abstract class AbstractAnalyzeMojo extends AbstractMojo {
     private boolean verbose;
 
     /**
-     * Ignore Runtime/Provided/Test/System scopes for unused dependency analysis.
+     * Ignore runtime/provided/test/system scopes for unused dependency analysis.
      * <p>
      * <code><b>Non-test scoped</b></code> list will be not affected.
      */
     @Parameter(property = "ignoreNonCompile", defaultValue = "false")
     private boolean ignoreNonCompile;
 
     /**
-     * Ignore Runtime scope for unused dependency analysis.
+     * Ignore runtime scope for unused dependency analysis.
      *
      * @since 3.2.0
      */
@@ -211,13 +211,18 @@ public abstract class AbstractAnalyzeMojo extends AbstractMojo {
      * segment is treated as an implicit wildcard. *
      * <p>
      * For example, <code>org.apache.*</code> matches all artifacts whose group id starts with
-     * <code>org.apache.</code>, and <code>:::*-SNAPSHOT</code> will match all snapshot artifacts.
+     * <code>org.apache.</code>, and <code>:::*-SNAPSHOT</code> matches all snapshot artifacts.
      * </p>
      *
+     * <p>Certain dependencies that are known to be used and loaded by reflection
+     * are always ignored. This includes {@code org.slf4j:slf4j-simple::}.</p>
+     *
      * @since 2.10
      */
-    @Parameter(defaultValue = "org.slf4j:slf4j-simple::")
-    private String[] ignoredUnusedDeclaredDependencies;
+    @Parameter
+    private String[] ignoredUnusedDeclaredDependencies = new String[0];
+
+    private String[] unconditionallyIgnoredDeclaredDependencies = {"org.slf4j:slf4j-simple::"};
 
     /**
      * List of dependencies that are ignored if they are in not test scope but are only used in test classes.
@@ -361,6 +366,7 @@ private boolean checkDependencies() throws MojoExecutionException {
 
         ignoredUnusedDeclared.addAll(filterDependencies(unusedDeclared, ignoredDependencies));
         ignoredUnusedDeclared.addAll(filterDependencies(unusedDeclared, ignoredUnusedDeclaredDependencies));
+        ignoredUnusedDeclared.addAll(filterDependencies(unusedDeclared, unconditionallyIgnoredDeclaredDependencies));
 
         if (ignoreAllNonTestScoped) {
             ignoredNonTestScope.addAll(filterDependencies(nonTestScope, new String[] {"*"}));
diff --git a/src/site/apt/examples/exclude-dependencies-from-dependency-analysis.apt.vm b/src/site/apt/examples/exclude-dependencies-from-dependency-analysis.apt.vm
@@ -28,16 +28,18 @@ Exclude dependencies from dependency analysis
   A project's dependencies can be analyzed as part of the build process by binding the <<<dependency:analyze-only>>>
   goal to the lifecycle.  By default, the analysis will be performed during the <<<verify>>> lifecycle phase.  
 
-  In rare cases it is possible to have dependencies that are
-  legitimate on the classpath but cause either "Declared but unused"
-  or "Undeclared but used" warnings. The most common case is with jars
-  that contain annotations and the byte code analysis is unable to
-  determine whether a jar is actually required or not.
+  It is possible to have necessary dependencies on the classpath that
+  cause either "Declared but unused" or "Undeclared but used" warnings.
+  One common cause of byte code analysis being unable to
+  determine whether a jar is required are annotations with
+  source retention. Another common cause is
+  a class that is loaded by reflection at runtime.
 
-  The plugin can then be configured to ignore dependencies that are
-  "declared but unused", "undeclared but used", and "non-test scoped"
-  in selected list or in all simultaneously.
+  The dependency plugin does not warn about a few common dependencies
+  where its analysis is known to be unreliable, most notably SLF4J.
 
+  If you encounter other false positives, you can configure the plugin to ignore particular
+  dependencies that are "declared but unused", "undeclared but used", and "non-test scoped".
   See the following POM configuration for an example:
 
 +---+
