currently implementing in rust:

• V a sax parser to read xml files (and existing xml binding in rust has trouble reading maven properties)
• V a dom parser to get a generic xml representation
• V a pom reader to get a maven specific representation
• V to find out what dependencies you have
• V try default localRepository ~/.m2/repository
• load settings.xml
• V search dependency in localRepository
• V download dependency from remote repo's

Why rust and not a maven plugin?

• faster

• more challenges

• run it in docker as a separate step

• report in html

  • list dependencies in descending 'should-I-use-it-score' order (below)
  • drill down to code usage in project

gradle

• probably easiest to run gradle itself to get the dependency list
• maybe should've done that with maven as well...
• but currently it's working rather well (as a POC, it's still missing essential features)

elaborating

• deciding if you should ditch a dependency, likely involves other factors:
  • (dependency) project quality, as defined by:
    • date of last commit
    • date of highest version on mavencentral
    • java version in bytecode (pre/post java11, I would say)
    • nr of collaborators
    • nr of issues (ratio open/solved vs total)
    • nr of superseded transitive dependencies
    • reported vulnerabilities
    • in some weighted sum(s), yielding a 'should-I-use-it score'
  • and replaceability score: how much work to replace it
    • how many occurrences of usage?c
    • lib or framework?
• this is going to be a large database,
• incrementally populated with data
• what stack?

Another idea

• compute amount of (dependency) code that is reachable from the application
  • count references (traverse all)
  • what to do with dynamically loaded code?