Java Dependency Analyzer is a tool that inspects dependencies.
Project description
Java Dependency Analyzer 1.1.1
A Python CLI tool that inspects Java dependency hierarchies in Maven and Gradle projects and reports known vulnerabilities.
Prerequisites
- Python
^3.14 - Poetry
2.2
Installation
Clone the repository and install all dependencies:
git clone <repository-url>
cd java-dependency-analyzer
poetry install
Usage
jda <COMMAND> [OPTIONS] [FILE]
COMMAND is one of gradle or maven.
gradle
jda gradle [OPTIONS] [FILE]
FILE is the path to a build.gradle or build.gradle.kts file.
Omit FILE when supplying --dependencies.
maven
jda maven [OPTIONS] [FILE]
FILE is the path to a pom.xml file.
Omit FILE when supplying --dependencies.
Options (both subcommands)
| Option | Short | Default | Description |
|---|---|---|---|
--dependencies |
-d |
Path to a pre-resolved dependency tree text file (see below). When supplied, parsing and transitive resolution are skipped. | |
--output-format |
-f |
all |
Report format: json, html, or all (both). |
--output-dir |
-o |
. |
Directory to write the report file(s) into. |
--no-transitive |
false |
Skip transitive dependency resolution; analyse direct dependencies only. | |
--verbose |
-v |
false |
Print progress messages to the console. |
--rebuild-cache |
false |
Delete the vulnerability cache before scanning. | |
--cache-ttl |
7 |
Cache TTL in days. Set to 0 to disable caching. |
Exit Codes
| Code | Meaning |
|---|---|
0 |
Scan completed successfully; no vulnerabilities found. |
10 |
Scan completed successfully; at least one vulnerability was detected. |
Pre-resolved dependency trees (--dependencies)
When a Gradle or Maven project already has a dependency tree available (e.g. from CI), you can pass it directly to skip the parser and transitive resolver:
- Gradle: generate with
gradle dependencies --configuration runtimeClasspath > gradle.txt - Maven: generate with
mvn dependency:tree -Dscope=runtime > maven.txt
The report will reflect the exact tree from the file, including all transitive dependencies.
Examples
Analyse a Maven POM and produce both JSON and HTML reports in the current directory:
jda maven pom.xml
Analyse a Gradle build file and write only an HTML report to ./reports/:
jda gradle build.gradle -f html -o reports/
Analyse direct dependencies only, with verbose output:
jda gradle build.gradle.kts --no-transitive -v
Scan using a pre-resolved Gradle dependency tree (skips transitive resolution):
jda gradle --dependencies runtime.txt -f json -o reports/
Scan using a pre-resolved Maven dependency tree (skips transitive resolution):
jda maven --dependencies maven.txt -f json -o reports/
Logging
The tool writes logs to java_dependency_analyzer.log in the current working directory, in addition to printing them to the console (stderr).
Logging requires a logging.ini file to be present in the working directory or any of its parent directories. The logger walks up the directory tree until it finds one.
When installed via pip, no logging.ini is bundled. Without it the tool falls back to console-only logging (no log file is created). To enable file logging, copy logging.ini from the repository to your working directory:
curl -O https://raw.githubusercontent.com/rcw3bb/java-dependency-analyzer/master/logging.ini
Then run jda from that same directory.
Architecture
graph TD
CLI["jda CLI (cli.py)"] --> Parser["DependencyParser (ABC)"]
Parser --> MavenParser
Parser --> GradleParser
Parser --> MavenDepTreeParser
Parser --> GradleDepTreeParser
CLI --> Resolver["TransitiveResolver<br/>(Maven Central)"]
CLI --> Scanner["VulnerabilityScanner (ABC)"]
Scanner --> OsvScanner["OsvScanner<br/>(OSV.dev API)"]
Scanner --> GhsaScanner["GhsaScanner<br/>(GitHub Advisory DB)"]
OsvScanner --> Cache["VulnerabilityCache<br/>(SQLite)"]
GhsaScanner --> Cache
CLI --> Reporter["Reporter (ABC)"]
Reporter --> JsonReporter
Reporter --> HtmlReporter
MavenParser --> Dependency["Dependency / Vulnerability<br/>Dataclasses"]
GradleParser --> Dependency
MavenDepTreeParser --> Dependency
GradleDepTreeParser --> Dependency
Resolver --> Dependency
OsvScanner --> Dependency
GhsaScanner --> Dependency
JsonReporter --> ScanResult["ScanResult"]
HtmlReporter --> ScanResult
Dependency --> ScanResult
Components
| Component | Location | Responsibility |
|---|---|---|
| CLI | java_dependency_analyzer/cli.py |
Entry point (gradle / maven subcommands); orchestrates parsing, resolving, scanning, and reporting. |
MavenParser |
parsers/maven_parser.py |
Parses pom.xml, resolves ${property} placeholders, filters by runtime scope. |
GradleParser |
parsers/gradle_parser.py |
Parses Groovy DSL (build.gradle) and Kotlin DSL (build.gradle.kts) files. |
MavenDepTreeParser |
parsers/maven_dep_tree_parser.py |
Parses mvn dependency:tree text output into a full dependency tree. |
GradleDepTreeParser |
parsers/gradle_dep_tree_parser.py |
Parses gradle dependencies text output into a full dependency tree. |
TransitiveResolver |
resolvers/transitive.py |
Fetches transitive dependencies by downloading POM files from Maven Central. |
OsvScanner |
scanners/osv_scanner.py |
Queries the OSV.dev batch API for known CVEs. |
GhsaScanner |
scanners/ghsa_scanner.py |
Queries the GitHub Advisory Database REST API for security advisories; automatically falls back to OSV when rate-limited (HTTP 403/429). |
VulnerabilityCache |
cache/vulnerability_cache.py |
SQLite-backed cache for raw vulnerability API payloads with configurable TTL. |
DatabaseManager |
cache/db.py |
Manages SQLite connection lifecycle and schema initialisation. |
JsonReporter |
reporters/json_reporter.py |
Writes a ScanResult to a JSON file. |
HtmlReporter |
reporters/html_reporter.py |
Renders a ScanResult to a styled HTML report via a Jinja2 template. |
Development Setup
Install all dependencies (including dev tools):
poetry install
Running Tests
Run the full test suite with coverage and generate an HTML report:
poetry run pytest --cov=java_dependency_analyzer tests --cov-report html
Code Quality
Format and lint the source code (linter must score 10/10):
poetry run black java_dependency_analyzer
poetry run pylint java_dependency_analyzer
Publishing to PyPI
Prerequisites
- A PyPI account with an API token.
Configure the token
poetry config pypi-token.pypi <your-token>
Build and publish
poetry publish --build
This builds the source distribution and wheel, then uploads them to PyPI in one step.
Note: PyPI releases are immutable. Once a version is published, it cannot be overwritten.
To fix a mistake, yank the release via the PyPI web UI and publish a new version.
Changelog
Author
Ron Webb <ron@ronella.xyz>
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file java_dependency_analyzer-1.1.1.tar.gz.
File metadata
- Download URL: java_dependency_analyzer-1.1.1.tar.gz
- Upload date:
- Size: 28.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.3.3 CPython/3.14.2 Windows/11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ef7c1b39a831fa324cd996a996e94be58ed66aa1c0df1052601f128a4844e11e
|
|
| MD5 |
a85670547f7d4bdfc1ca86e4ad00ce41
|
|
| BLAKE2b-256 |
7bf32d984b8d4ef51a01f8e90fe0b7f6911a51fff40d473969acf6b53eca3fcc
|
File details
Details for the file java_dependency_analyzer-1.1.1-py3-none-any.whl.
File metadata
- Download URL: java_dependency_analyzer-1.1.1-py3-none-any.whl
- Upload date:
- Size: 42.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.3.3 CPython/3.14.2 Windows/11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4f8ef6b08c891a1422b3bc602cda4780400b0d9708722ac6375b41780bee0732
|
|
| MD5 |
62b14877c05b8802cb26a9600cae4a05
|
|
| BLAKE2b-256 |
fedd9335bd5b79174ed6f3c927cdc4094ffdedd9147ece85a146a003dee67c0d
|
