Maven Notes from JavaOne 2025
Notes from JavaOne
The talk Apache Maven Survival Guide “Bring It On! gives a nice overview of the tools and techniques for managing the build process.
Random trivia
Super POM
Apache Maven runtime is by default using Super Pom which - unless specified otherwiese - is the parent of each pom file:
Dependency management
Important: understanding what direct and indirect (transitive) dependencies are:
Check default versions
Use mvn help:effective-pom
Learn to use mvn help:effective-pom - it merges default pom with the one in your repository. This is important, becasue if someone has different maven versions then - although they are using the same project’s pom, their default poms will almost certainly be different!
Tests are not run
Diagnozing a problem: answer is “always run a plugin” :)
Use mvn versions:display-plugin-updates - this shows that there is no minimal version of maven defined:
![[Pasted image 20250525095854.png]]
This might also display what are the newest versions of plugins (which in general we should try to upgrade if possible due to bugfixes, patched vulnerabilities, stability etc.)
Using enforcer plugin
provides goals to control certain environmental constraints such as Maven version, JDK version, and OS family along with many more built-in rules and user created rules.
| Rule type | Documentation link |
|---|---|
| Built-in rules | https://maven.apache.org/enforcer/enforcer-rules/index.html |
| Extra rules | https://www.mojohaus.org/extra-enforcer-rules/ |
| Writing a custom rules | https://maven.apache.org/enforcer/enforcer-api/writing-a-custom-rule.html |
It is really interesting to look into those rules to understand what this plugin offers:
Reproducible builds
CI (and people in your team) can have a different version of maven and therefore can also have different versions of plugins. You can fix that by fixing them in your pom, then mvn versions:display-plugin-updates also gives updates to those default plugins.
Note: one bad practice mentioned - commons-lang3
Static dependency analysis
Note: it is not perfect, just a tool. Even dependencies reported as “unused” can be used.
Use mvn depencency:analyze
Dependency tree
Use mvn dependency:tree to see what dependencies you are using during the build.
Secure the project
mvn org.owasp:dependency-check-maven:check
Here you can get your api key from: https://nvd.nist.gov/developers/request-an-api-key. The video states that one problem with org.owasp:dependency-check-maven is that it only runs during the build and don’t notify you that there is a problem with the dependencies (…and proprietary solutions offer such offline analysis of remembered projects’ dependencies).
Note to self: I wasn’t able to run this plugin :sad: - without a configured key it was downloading really slow (I gave up after a few minutes), and with configured key the plugin was throwing “null array” error.
Verify with -X
Use mvn verify -X to see the details (example: stale files - i.e. java files which are all comments - cause compilation each time due to the fact that they do not emit actualt bytecode/.class file and mess with maven’s ability to discover the need to recompile).
Generate dependencies report
Then, use mvn project-info-reports:dependencies.
It writes a list of build time plugins that were used, eg.
|
|
…and you can see a more visually pleasing version by opening a report generated in yor target direcory.
Try open target/reports/dependencies.html and see:
You will get:
- list of dependencies
- list of licence types
- details of depencency size, number of classess, java version
Generate licences report
Good practice: use <licence> in the pom.
You can verify the legal side of your project by listing the licences of related libs/plugins (or notifying you if your ddependences don’t have their licence declared - this means a potential trouble to the proprietary system you are building). The usage of third party can be reported with mvn license:third-party-report.
It generates a report (try to open target/reports/third-party-report.html) which gives info about all the licences of your dependencies:
Speed up build
- mvnd - Use
mvnd(you need to install it first) instead of mvn to get a speed up - check which jdk you can use - maven versions differ between jdk
- try mvn4 - archive
Clean install
We need an extention - better, bigger, can see a classloader, we need it to profile the plugins.
Other notes
OSS Quickstart
oss quickstart is a Maven archetype developed by Gunnar Morling to create oss-ready project and you can use it in two forms:
- interactive:
|
|
- non-interactive:
|
|
Note: Gunnar is also the author of this excellent article: The Code Review Pyramid
Plugins - general
Here’s the list of frequently used maven plugins:
| Name | Description | Link |
|---|---|---|
| maven-shade-plugin | Packages the artifact in an uber-jar, including its dependencies, and allows shading (renaming) of packages. | maven-shade-plugin |
| maven-surefire-plugin | Executes unit tests during the test phase of the build lifecycle and generates reports. | maven-surefire-plugin |
| spring-boot-maven-plugin | Provides Spring Boot support in Maven, allowing packaging of executable JARs or WARs and running Spring Boot applications. | spring-boot-maven-plugin |
| maven-release-plugin | Automates the process of releasing a project, including tagging the source code and deploying artifacts. | maven-release-plugin |
| maven-dependency-plugin | Provides utility goals to work with dependencies like copying, unpacking, analyzing, and resolving. | maven-dependency-plugin |
| maven-jar-plugin | Allows for customization of the JAR manifest and packaging of additional resources. | maven-jar-plugin |
| modernizer-maven-plugin | Detects uses of legacy APIs and suggests modern alternatives to improve code performance and maintainability. | modernizer-maven-plugin |
| protobuf-maven-plugin | Facilitates integration of Protocol Buffers (protobuf) into Maven projects, supporting both JVM and native plugins. | protobuf-maven-plugin |
| dependency-analyzer | Generates class dependency graphs, providing insights into project structure and dependencies. | dependency-analyzer |
| maven-compiler-plugin | Compiles the project’s source code. | maven-compiler-plugin |
| maven-clean-plugin | Cleans up the project’s directory by deleting the target directory. | maven-clean-plugin |
| maven-deploy-plugin | Deploys the project’s artifacts to a remote repository. | maven-deploy-plugin |
Plugins - Code quality
A list of code quality focused maven plugins:
| Name | Description | Link |
|---|---|---|
| maven-pmd-plugin | Integrates PMD, a static code analyzer that detects common programming flaws like unused variables, empty catch blocks, and unnecessary object creation. | maven-pmd-plugin |
| findbugs-maven-plugin | Generates reports based on the FindBugs library, identifying potential bugs in Java code through static analysis. | findbugs-maven-plugin |
| sonar-findbugs-plugin | A SonarQube plugin that integrates FindBugs analyses into SonarQube dashboards, helping to detect a variety of common coding mistakes. | sonar-findbugs-plugin |
| code-analysis-maven-plugin | Runs several static analysis tools to check your code for bugs, design, and formatting problems, providing a comprehensive code quality report. | code-analysis-maven-plugin |
| maven-checkstyle-plugin | Generates reports on code style violations and can fail the build if violations are detected. | maven-checkstyle-plugin |
| spotbugs-maven-plugin | Performs static code analysis to identify potential bugs and code quality issues in Java bytecode. | spotbugs-maven-plugin |
| jacoco-maven-plugin | Provides the JaCoCo runtime agent to your tests and allows basic code coverage report creation. | jacoco-maven-plugin |
pom.xml code conventions
- Here is the ordering of pom.xml elements: pom.xml code conventions
- Here is (different) maven model
Summary
Maven is not as sexy as we’d sometimes wish, but it does its job, it is stable, and it is extensible. Sometimes we want to extend its basic goal - project dependency management - with some additional stuff, like monitoring code quality, executing static analysis to prevent common bugs, looking at code smells, facilitating external integrations, or generating code. Therefore it is important to know some most important and widely used plugins that can do the job and improve the overall project health.
AI note
ChatGPT
- generated mermaid diagrams and main blogpost image
- formatted markdown table and helped with plugins descriptions