Using Maven Dependency Analysis to Detect Unused and Undeclared JARs

Why do this?

After years of working with .Net technologies, the author switched to frontend and later to operations, encountering frequent security scans that expose vulnerable JAR packages in Maven projects, prompting the need for systematic dependency cleanup.

How to do it?

For Maven projects, the built‑in dependency analysis tool can be invoked with a single command. Open the Terminal in IntelliJ IDEA or a command line at the project root and run:

mvn dependency:analyze

Examine the console output, focusing on two sections:

[INFO]  --- maven-dependency-plugin:2.8:analyze (default-cli) @ xxxproject ---
[WARNING] Used undeclared dependencies found:
[WARNING]    org.springframework:spring-beans:jar:4.0.0.RELEASE:compile
[WARNING]    org.springframework:spring-context:jar:4.0.0.RELEASE:compile
[WARNING] Unused declared dependencies found:
[WARNING]    com.alibaba:dubbo:jar:2.5.3:compile
[WARNING]    com.alibaba:druid:jar:1.0.9:compile
[WARNING]    ...

Used undeclared dependencies found

This indicates that the project uses a class from a JAR that is not declared directly in pom.xml but is pulled in transitively. For example, if A.jar depends on B.jar and the analysis reports:

[WARNING] Used undeclared dependencies found: B.jar

you should add an explicit dependency on B.jar in pom.xml to make the relationship clear.

Unused declared dependencies found

This section lists dependencies that are declared in pom.xml but never referenced in the source code (excluding configuration files and other extension points). Before removing them, consider the following cautions:

"Unused" is defined only for code under src/main/java and src/test/java , not for configuration or plugin files.

Always back up pom.xml before deleting dependencies.

Maven's analysis may produce false positives; thorough testing after removal is essential.

When to run the analysis?

New project initialization: Choose required JARs carefully to avoid copying legacy dependencies.

During feature refactoring: Review and clean dependencies alongside code changes, allowing any mistakes to be caught in subsequent testing phases.

What risks should be noted?

The analysis results are advisory and may miss special usage scenarios such as annotation processors. Always perform comprehensive testing after removing dependencies.

When taking over an old project, do not rush to clean dependencies before understanding the codebase, as premature removal can cause hard‑to‑track issues.

Shortcut method

IntelliJ IDEA provides a built‑in Maven tool to analyze dependencies without leaving the IDE.

Usage

Open the project in IntelliJ IDEA and navigate to the directory containing pom.xml .

Right‑click pom.xml and select Analyze Dependencies from the Maven menu.

IDEA will display the analysis results, allowing you to add missing dependencies or remove unused ones directly.

Following these steps helps keep the project's dependency graph clean, stable, and maintainable.