• Stars
    star
    146
  • Rank 252,769 (Top 5 %)
  • Language
    Java
  • License
    Apache License 2.0
  • Created over 9 years ago
  • Updated about 1 month ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Build time tool for detecting link problems in java projects

missing-link - a maven dependency problem finder

Build Status Maven Central Coverage Status

Be warned. This project is still immature and in development. The API may change at any time. It may not find all problems. It may find lots of false positives.

Quickstart - add missinglink to your Maven build

Add the following plugin to pom.xml:

<plugin>
  <groupId>com.spotify</groupId>
  <artifactId>missinglink-maven-plugin</artifactId>
  <version>0.2.1</version>
  <executions>
    <execution>
      <goals><goal>check</goal></goals>
      <phase>process-classes</phase>
    </execution>
  </executions>
</plugin>

See how to configure the plugin below.

Problem definition

When using Java and Maven, it's easy to get into a state of pulling in a lot of dependencies. Sometimes you even get transitive dependencies (I depend on X which in turn depends on Y). This can lead to conflicting dependencies sometimes.

I depend on libraries X and Y. X depends on Foo v2.0.0 and Y depends on Foo v3.0.0

Thus, I now have transitive dependencies on two different (incompatible) versions of Foo. Which one do I pick?

If I pick v2.0.0, Y may fail in runtime due to missing classes or methods. If I pick v3.0.0, X may fail instead.

In order to solve this, maven has an enforcer plugin which can detect these problems. Then you have to manually choose one of the versions and hope that it works.

You can also try to upgrade library X to use Foo v3.0.0. Sometimes this is tricky and time-consuming, especially if X is a foreign dependency.

A new approach at solving some of the problems

The idea is to programmatically analyze each dependency - what does the code depend on and what does it export - on a lower level. Instead of just looking at version numbers, we look at the actual signatures in the code.

For instance, maybe the difference between Foo v2.0.0 and Foo v3.0.0 is only this method signature:

// Foo v2.0.0
void Foo.bar(String s, int i);

// Foo v3.0.0
void Foo.bar(String s, boolean b);

If X or Y doesn't actually use this method, it may not matter if we're using version 2 or 3. This is often the case of large libraries where we only use a small subset of the methods (google guava for instance).

(Note: I am only looking at this from an API perspective - the actual code may have different behaviour which is out of scope for this project)

Maven plugin

This problem finder can be executed against your Maven project from the command-line like:

$ mvn com.spotify:missinglink-maven-plugin:0.2.1:check

The plugin will scan the source code of the current project, the runtime dependencies (from the Maven model), and the bootstrap JDK classes (i.e. java.lang, java.util) for conflicts. Any conflicts found will be printed out, grouped by category of the conflict, the artifact (jar file) it was found it, and the problematic class.

Requirements

This plugin is using Java 8 language features. While the JVM used to execute Maven must be at version 1.8 or greater, the Maven projects being analyzed can be using any Java source version.

Note that when using a higher JVM version to execute Maven than what the project is being compiled with (the source argument to maven-compiler-plugin), some care should be taken to make sure that the higher-versioned bootclasspath is not accidentally used with javac.

Configuration of the plugin

Once projects get to be of a certain size, some level of conflicts - mostly innocent - between the various dependencies and inter-dependencies of the libraries used are inevitable. In this case, you will probably want to add the missinglink-maven-plugin as a <plugin> to your pom.xml so you can tweak some of its configuration options.

For example, ch.qos.logback:logback-core includes a bunch of optional classes that reference groovy.lang classes. Since the logback dependency specifies its dependency on groovy as optional=true, the Groovy jar is not automatically included in your project (unless you explicitly need it).

The missinglink-maven-plugin offers a few configuration options that can be used to reduce the number of warnings to avoid drowning in "false" positives.

The suggested workflow for using this plugin is to execute it against your project once with no configuration, then carefully add dependencies/packages to the ignores list after you are sure these are not true issues.

To add the plugin to your project, add the following to the <plugins> section:

<plugin>
  <groupId>com.spotify</groupId>
  <artifactId>missinglink-maven-plugin</artifactId>
  <version>VERSION</version>
</plugin>

The plugin can be specified to fail the build if any conflicts are found. To automatically execute the plugin on each build, add an <execution> section like:

<configuration>
  <failOnConflicts>true</failOnConflicts>
</configuration>
<executions>
  <execution>
    <goals><goal>check</goal></goals>
    <phase>process-classes</phase>
  </execution>
</executions>

Exclude some dependencies from analysis

Specific dependencies can be excluded from analysis if you know that all conflicts within that jar are "false" or irrelevant to your project.

For example, logback-core and logback-classic have many references (in optional classes) to classes needed by the Groovy language. To exclude these jars from being analyzed, add an <excludeDependencies> section to <configuration> like:

<excludeDependencies>
  <excludeDependency>
    <groupId>ch.qos.logback</groupId>
    <artifactId>logback-core</artifactId>
  </excludeDependency>
  <excludeDependency>
    <groupId>ch.qos.logback</groupId>
    <artifactId>logback-classic</artifactId>
  </excludeDependency>
</excludeDependencies>

Ignore conflicts in certain packages

Conflicts can be ignored based on the package name of the class that has the conflict. There are separate configuration options for ignoring conflicts on the "source" side of the conflict and the "destination" side of the conflict.

For example, if com.foo.Bar calls a method void doSomething(int) in the biz.blah.Something class, then com.foo.Bar is on the source/calling side and biz.blah.Something is on the destination/callee side.

Packages on the source side can be ignored with <ignoreSourcePackages> and packages on the destination side can be ignored with <ignoreDestinationPackages>:

<configuration>
  <!-- ignore conflicts with groovy.lang on the caller side -->
  <ignoreSourcePackages>
    <ignoreSourcePackages>
      <package>groovy.lang</package>
    </ignoreSourcePackages>
  </ignoreSourcePackages>
  <!-- ignore conflicts with com.foo on the callee side -->
  <ignoreDestinationPackages>
    <ignoreDestinationPackage>
      <package>com.foo</package>
    </ignoreDestinationPackage>
  </ignoreDestinationPackages>
</configuration>

By default, all subpackages of the specified packages are also ignored, but this can be disabled on an individual basis by adding <filterSubpackages>false</filterSubpackages> to the <ignoreSourcePackage> or <ignoreDestinationPackage> element. Note: In previous releases (<=0.2.5), this setting was named ignoreSubpackages. Setting ignoreSubpackages in your pom.xml is still supported; the plugin will translate it to the new key value.

Target only conflicts from certain packages

Conversely, the plugin can be configured to only report on conflicts in specific packages, based on the name of the class that has the conflict. There are separate configuration options for targeting conflicts on the "source" side of the conflict and the "destination" side of the conflict.

Packages on the source side can be targeted with <targetSourcePackages> and packages on the destination side can be targeted with <targetDestinationPackages>:

<configuration>
  <!-- Only target conflicts coming from groovy.lang source package -->
  <targetSourcePackages>
    <targetSourcePackage>
      <package>groovy.lang</package>
    </targetSourcePackage>
  </targetSourcePackages>
  <!-- Only target conflicts coming from com.foo package on the callee side -->
  <targetDestinationPackages>
    <targetDestinationPackage>
      <package>com.foo</package>
    </targetDestinationPackage>
  </targetDestinationPackages>
</configuration>

By default, all subpackages of the specified packages are also ignored, but this can be disabled on an individual basis by adding <filterSubpackages>false</filterSubpackages> to the <ignoreSourcePackage> or <ignoreDestinationPackage> element.

Note that target* options CANNOT be used in conjunction with ignore* options. You can only specify one or the other.

Caveats and Limitations

Because this plugin analyzes the bytecode of the .class files of your code and all its dependencies, it has a few limitations which prevent conflicts from being found in certain scenarios.

Reflection

When reflection is used to load a class or invoke a method, this tool is not able to follow the call graph past the point of reflection.

Dependency Injection containers

Most DI containers, such as Guice, use reflection to load modules at runtime and wire object graphs together; therefore this tool can't follow the connection between your source code and any modules that might be loaded by Guice or other containers from libraries on the classpath.

Dead code

This tool parses the bytecode of each .class file and looks at the "method instruction" calls to build a graph between classes and which methods are invoking which methods.

Since the tool is scanning the bytecode but not actually executing it, it has no awareness of whether or not a method instruction will actually be executed at runtime.

If bytecode exists for invoking a method in a class but that code path will never actually be activated at runtime, this tool will still follow that connection and report any conflicts it might find through that path.

Safe instances of class not found

Some libraries enable optional features when other classes are available on the classpath, for example Netty tries to detect if cglib is available. These code patterns look something like

boolean coolFeatureEnabled = false;
try {
    Class.forName("com.sprockets.SomeOptionalFeature");
    coolFeatureEnabled = true;
} catch (Throwable t) {
    // optional sprockets library not available
}

...
if (coolFeatureEnabled) {
    // load something that calls SomeOptionalFeature class
}

Javadeps will detect these calls to the optional classes and flag them as conflicts, even though not having the class available will not cause any runtime errors. Configure the plugin to ignore these classes/dependencies.

History

This started as a Spotify hackweek project in June 2015 by Matt Brown, Kristofer Karlsson, Axel Liljencrantz and Petter Måhlén.

It was inspired by some real problems that happened when there were incompatible transitive dependencies for a rarely used code path that wasn't detected until runtime.

We thought that should be detectable in build time instead - so we built this to see if it was feasible.

License

This software is released under the Apache License 2.0. More information in the file LICENSE distributed with this project.

Ownership

The Weaver squad is currently owning this project internally. We are currently in the evaluating process of the ownership of this and other OSS Java libraries. The ownership takes into account ONLY security maintenance.

This repo is also co-owned by other people:

More Repositories

1

luigi

Luigi is a Python module that helps you build complex pipelines of batch jobs. It handles dependency resolution, workflow management, visualization etc. It also comes with Hadoop support built in.
Python
17,796
star
2

annoy

Approximate Nearest Neighbors in C++/Python optimized for memory usage and loading/saving to disk
C++
13,197
star
3

pedalboard

🎛 🔊 A Python library for audio.
C++
5,147
star
4

docker-gc

INACTIVE: Docker garbage collection of containers and images
Shell
5,068
star
5

chartify

Python library that makes it easy for data scientists to create charts.
Python
3,510
star
6

basic-pitch

A lightweight yet powerful audio-to-MIDI converter with pitch bend detection
Python
3,184
star
7

dockerfile-maven

MATURE: A set of Maven tools for dealing with Dockerfiles
Java
2,756
star
8

docker-maven-plugin

INACTIVE: A maven plugin for Docker
Java
2,652
star
9

scio

A Scala API for Apache Beam and Google Cloud Dataflow.
Scala
2,485
star
10

helios

Docker container orchestration platform
Java
2,097
star
11

web-api-examples

Basic examples to authenticate and fetch data using the Spotify Web API
HTML
1,889
star
12

HubFramework

DEPRECATED – Spotify’s component-driven UI framework for iOS
Objective-C
1,861
star
13

apollo

Java libraries for writing composable microservices
Java
1,648
star
14

dh-virtualenv

Python virtualenvs in Debian packages
Python
1,614
star
15

docker-client

INACTIVE: A simple docker client for the JVM
Java
1,431
star
16

docker-kafka

Kafka (and Zookeeper) in Docker
Shell
1,399
star
17

SPTPersistentCache

Everyone tries to implement a cache at some point in their iOS app’s lifecycle, and this is ours.
Objective-C
1,243
star
18

voyager

🛰️ An approximate nearest-neighbor search library for Python and Java with a focus on ease of use, simplicity, and deployability.
C++
1,242
star
19

mobius

A functional reactive framework for managing state evolution and side-effects.
Java
1,223
star
20

sparkey

Simple constant key/value storage library, for read-heavy systems with infrequent large bulk inserts.
C
1,178
star
21

ruler

Gradle plugin which helps you analyze the size of your Android apps.
Kotlin
1,130
star
22

XCMetrics

XCMetrics is the easiest way to collect Xcode build metrics and improve developer productivity.
Swift
1,102
star
23

web-api

This issue tracker is no longer used. Join us in the Spotify for Developers forum for support with the Spotify Web API ➡️ https://community.spotify.com/t5/Spotify-for-Developers/bd-p/Spotify_Developer
RAML
981
star
24

echoprint-codegen

Codegen for Echoprint
C++
948
star
25

snakebite

A pure python HDFS client
Python
856
star
26

heroic

The Heroic Time Series Database
Java
843
star
27

klio

Smarter data pipelines for audio.
Python
836
star
28

XCRemoteCache

Swift
830
star
29

ios-sdk

Spotify SDK for iOS
Objective-C
643
star
30

SPTDataLoader

The HTTP library used by the Spotify iOS client
Objective-C
630
star
31

apps-tutorial

A Spotify App that contains working examples of the use of Spotify Apps API
627
star
32

JniHelpers

Tools for writing great JNI code
C++
593
star
33

postgresql-metrics

Tool that extracts and provides metrics on your PostgreSQL database
Python
590
star
34

Mobius.swift

A functional reactive framework for managing state evolution and side-effects [Swift implementation]
Swift
557
star
35

reactochart

📈 React chart component library 📉
JavaScript
552
star
36

dockerfile-mode

An emacs mode for handling Dockerfiles
Emacs Lisp
535
star
37

threaddump-analyzer

A JVM threaddump analyzer
JavaScript
488
star
38

featran

A Scala feature transformation library for data science and machine learning
Scala
467
star
39

android-sdk

Spotify SDK for Android
HTML
457
star
40

echoprint-server

Server for the Echoprint audio fingerprint system
Java
395
star
41

completable-futures

Utilities for working with futures in Java 8
Java
393
star
42

web-scripts

DEPRECATED: A collection of base configs and CLI wrappers used to speed up development @ Spotify.
TypeScript
383
star
43

spotify-web-api-ts-sdk

A Typescript SDK for the Spotify Web API with types for returned data.
TypeScript
356
star
44

SpotifyLogin

Swift framework for authenticating with the Spotify API
Swift
347
star
45

ratatool

A tool for data sampling, data generation, and data diffing
Scala
338
star
46

fmt-maven-plugin

Opinionated Maven Plugin that formats your Java code.
Java
324
star
47

coordinator

A visual interface for turning an SVG into XY coördinates.
HTML
288
star
48

big-data-rosetta-code

Code snippets for solving common big data problems in various platforms. Inspired by Rosetta Code
Scala
287
star
49

trickle

A small library for composing asynchronous code
Java
285
star
50

pythonflow

🐍 Dataflow programming for python.
Python
285
star
51

styx

"The path to execution", Styx is a service that schedules batch data processing jobs in Docker containers on Kubernetes.
Java
266
star
52

cstar

Apache Cassandra cluster orchestration tool for the command line
Python
254
star
53

confidence

Python
254
star
54

netty-zmtp

A Netty implementation of ZMTP, the ZeroMQ Message Transport Protocol.
Java
243
star
55

ios-style

Guidelines for iOS development in use at Spotify
243
star
56

cassandra-reaper

Software to run automated repairs of cassandra
235
star
57

docker-cassandra

Cassandra in Docker with fast startup
Shell
220
star
58

basic-pitch-ts

A lightweight yet powerful audio-to-MIDI converter with pitch bend detection.
TypeScript
216
star
59

terraform-gke-kubeflow-cluster

Terraform module for creating GKE clusters to run Kubeflow
HCL
213
star
60

linux

Spotify's Linux kernel for Debian-based systems
C
208
star
61

dns-java

DNS wrapper library that provides SRV lookup functionality
Java
206
star
62

git-test

test your commits
Shell
203
star
63

SPStackedNav

[DEPRECATED] Navigation controller which represents its content in stacks of panes, rather than one at a time
Objective-C
195
star
64

spotify-json

Fast and nice to use C++ JSON library.
C++
194
star
65

quickstart

A CommonJS module resolver, loader and compiler for node.js and browsers.
JavaScript
193
star
66

dbeam

DBeam exports SQL tables into Avro files using JDBC and Apache Beam
Java
189
star
67

flink-on-k8s-operator

Kubernetes operator for managing the lifecycle of Apache Flink and Beam applications.
Go
185
star
68

bazel-tools

Tools for dealing with very large Bazel-managed repositories
Java
166
star
69

magnolify

A collection of Magnolia add-on modules
Scala
163
star
70

dataenum

Algebraic data types in Java.
Java
163
star
71

lingon

A user friendly tool for building single-page JavaScript applications
JavaScript
162
star
72

async-google-pubsub-client

[SUNSET] Async Google Pubsub Client
Java
158
star
73

gcp-audit

A tool for auditing security properties of GCP projects.
Python
157
star
74

spark-bigquery

Google BigQuery support for Spark, SQL, and DataFrames
Scala
155
star
75

should-up

Remove most of the "should" noise from your tests
JavaScript
153
star
76

folsom

An asynchronous memcache client for Java
Java
147
star
77

flo

A lightweight workflow definition library
Java
146
star
78

spotify-web-playback-sdk-example

React based example app that creates a new player in Spotify Connect to play music from in the browse using Spotify Web Playback SDK.
JavaScript
144
star
79

android-auth

Spotify authentication and authorization for Android. Part of the Spotify Android SDK.
HTML
143
star
80

proto-registry

An implementation of the Protobuf Registry API
TypeScript
141
star
81

futures-extra

Java library for working with Guava futures
Java
138
star
82

zoltar

Common library for serving TensorFlow, XGBoost and scikit-learn models in production.
Java
138
star
83

annoy-java

Approximate nearest neighbors in Java
Java
138
star
84

spydra

Ephemeral Hadoop clusters using Google Compute Platform
Java
134
star
85

github-java-client

A Java client to Github API
Java
129
star
86

docker-stress

Simple docker stress test and monitoring tools
Python
125
star
87

spotify-tensorflow

Provides Spotify-specific TensorFlow helpers
Python
124
star
88

crtauth

a public key backed client/server authentication system
Python
118
star
89

sparkey-java

Java implementation of the Sparkey key value store
Java
118
star
90

redux-location-state

Utilities for reading & writing Redux store state to & from the URL
JavaScript
118
star
91

realbook

Easier audio-based machine learning with TensorFlow.
Python
112
star
92

rspec-dns

Easily test your DNS with RSpec
Ruby
107
star
93

web-playback-sdk

This issue tracker is no longer used. Join us in the Spotify for Developers forum for support with the Spotify Web Playback SDK ➡️ https://community.spotify.com/t5/Spotify-for-Developers/bd-p/Spotify_Developer
107
star
94

ffwd-ruby

An event and metrics fast-forwarding agent.
Ruby
105
star
95

gimme

Creating time bound IAM Conditions with ease and flair
Python
103
star
96

super-smash-brogp

Sends and withdraws BGP prefixes for fun.
Python
98
star
97

spotify.github.io

Showcase site for hand-picked open-source projects by Spotify
HTML
96
star
98

lighthouse-audit-service

TypeScript
95
star
99

python-graphwalker

Python re-implementation of the graphwalker testing tool
Python
93
star
100

noether

Scala Aggregators used for ML Model metrics monitoring
Scala
91
star