[QUESTION] What are the differences between the minifaction done by depclean and maven-shade-plugin?

ASSERT-KTH / depclean

DepClean automatically detects and removes unused dependencies in Maven projects (https://dx.doi.org/10.1007/s10664-020-09914-8)

MIT License

243 stars 28 forks source link

[QUESTION] What are the differences between the minifaction done by depclean and maven-shade-plugin? #165

Closed algomaster99 closed 1 year ago

algomaster99 commented 1 year ago

Hi!

I often disseminate this tool to people, so I aim to have as much knowledge as possible to answer their questions. Hence, I was wondering what 'extra' depclean does to remove bloated dependencies? Based on the documentation of maven-shade-plugin, it seems that they also minify the JAR and call the new JAR as 'uber JAR'. Could you comment about the techniques used for debloating in both tools? I looked for keyword shade in your manuscript here, but I could not find it.

monperrus commented 1 year ago

ping @cesarsotovalero

tdurieux commented 1 year ago

the static analysis to detect the required dependencies is slightly different and Depclean aims to update the original pom.xml to exclude the unneeded dependencies instead of doing a post-processing.

algomaster99 commented 6 months ago

The Used, the Bloated, and the Vulnerable: Reducing the Attack Surface of an Industrial Application compares Depclean, Shade, and ProGuard. Based on results (table 2), Depclean debloats the jar to more degree and the tests pass - correctness guaranteed.

It is a small study on one project by SAP, but it is good to know :)