48 lines
No EOL
1.7 KiB
Markdown
48 lines
No EOL
1.7 KiB
Markdown
**currently implementing in rust:**
|
|
* V a sax parser to read xml files (and existing xml binding in rust has trouble reading maven properties)
|
|
* V a dom parser to get a generic xml representation
|
|
* V a pom reader to get a maven specific representation
|
|
* V to find out what dependencies you have
|
|
* V try default localRepository ~/.m2/repository
|
|
* load settings.xml
|
|
* V search dependency in localRepository
|
|
* V download dependency from remote repo's
|
|
|
|
Why rust and not a maven plugin?
|
|
* faster
|
|
* more challenges
|
|
* run it in docker as a separate step
|
|
|
|
|
|
* report in html
|
|
* list dependencies in descending 'should-I-use-it-score' order (below)
|
|
* drill down to code usage in project
|
|
|
|
**gradle**
|
|
* probably easiest to run gradle itself to get the dependency list
|
|
* maybe should've done that with maven as well...
|
|
* but currently it's working rather well (as a POC, it's still missing essential features)
|
|
|
|
**elaborating**
|
|
* deciding if you should ditch a dependency, likely involves other factors:
|
|
* (dependency) project quality, as defined by:
|
|
* date of last commit
|
|
* date of highest version on mavencentral
|
|
* java version in bytecode (pre/post java11, I would say)
|
|
* nr of collaborators
|
|
* nr of issues (ratio open/solved vs total)
|
|
* nr of superseded transitive dependencies
|
|
* reported vulnerabilities
|
|
* in some weighted sum(s), yielding a 'should-I-use-it score'
|
|
* and replaceability score: how much work to replace it
|
|
* how many occurrences of usage?c
|
|
* lib or framework?
|
|
* this is going to be a large database,
|
|
* incrementally populated with data
|
|
* what stack?
|
|
|
|
**Another idea**
|
|
* compute amount of (dependency) code that is reachable from the application
|
|
* count references (traverse all)
|
|
* what to do with dynamically loaded code?
|
|
|