The 'Illegal' Transitive Dependency Check Rule

The IllegalTransitiveDependencyCheck is an additional rule for the maven-enforcer-plugin. The rule checks if all classes in a certain artifact references only classes that are provided by explicitly declared dependencies. Thus the rule will list (or complain about) all classes that are only available through transitive dependencies.

You can run the check by configuring the maven-enforcer-plugin to make use of the additional rule:

<project>
  ...
  <build>
    <plugins>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-enforcer-plugin</artifactId>
        <version>1.3.1</version>
        <dependencies>
          <dependency>
            <groupId>de.is24.maven.enforcer.rules</groupId>
            <artifactId>illegal-transitive-dependency-check</artifactId>
            <version>1.7.4</version>
          </dependency>
        </dependencies>
        <executions>
          <execution>
            <id>enforce</id>
            <phase>verify</phase>
            <goals>
              <goal>enforce</goal>
            </goals>
            <configuration>
              <rules>
                <illegalTransitiveDependencyCheck implementation="de.is24.maven.enforcer.rules.IllegalTransitiveDependencyCheck">
                  <reportOnly>false</reportOnly>
                  <useClassesFromLastBuild>true</useClassesFromLastBuild>
                  <suppressTypesFromJavaRuntime>true</suppressTypesFromJavaRuntime>
                  <regexIgnoredClasses>
                      <regexIgnoredClass>javax\..+</regexIgnoredClass>
                      <regexIgnoredClass>org\.hibernate\..+</regexIgnoredClass>
                  </regexIgnoredClasses>
                  <listMissingArtifacts>false</listMissingArtifacts>
                </illegalTransitiveDependencyCheck>
              </rules>
            </configuration>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>
  ...
</project>

The rule itself can be configured to only report violations or even to signal the enforcer-plugin to break the build by specifying the attribute reportOnly. You may also exclude classes or packages from analysis by providing regex-patterns to parameter regexIgnoredClasses (e.g. my\.suppressed\.Type).

In addition to these exclusions types from packages javax.*,sun.*, jdk.*, org.* and com.sun.* that are available through the current Java runtime can be excluded automatically by setting parameter suppressTypesFromJavaRuntime.

By default the rule will resolve the currently analyzed artifact in the Maven repository. In case the enforcer-plugin runs in a phase compiled classes are available in the target folder (e.g. verify) artifact-resolving can be avoided by setting parameter useClassesFromLastBuild to true.

(Since version 1.7.4 the regexIngoredClasses filtering is also applied to the classes of the artifact currently analyzed. Thus direct dependencies of that classes will not be considered. See request #29)

If not only the classes but also the transitively used artifacts should be listed the parameter listMissingArtifacts can be set to true. Caution: This option is really slow!

Releases are available here in Maven's central repository.