false positive advice to remove annotation used library

xenoterracide commented 1 month ago

Build scan link

Plugin version

2.1.1

Gradle version

------------------------------------------------------------
Gradle 8.10.2
------------------------------------------------------------

Build time:    2024-09-23 21:28:39 UTC
Revision:      415adb9e06a516c44b391edff552fd42139443f7

Kotlin:        1.9.24
Groovy:        3.0.22
Ant:           Apache Ant(TM) version 1.10.14 compiled on August 16 2023
Launcher JVM:  21.0.4 (Eclipse Adoptium 21.0.4+7-LTS)
Daemon JVM:    /home/xeno/.asdf/installs/java/temurin-21.0.4+7.0.LTS (no JDK specified, using current Java home)
OS:            Linux 6.6.47-1-MANJARO amd64

Describe the bug

That library has usages, it's used on package and in module-info (yes, I know on the latter not supported)

  Advice for :security-model
  Unused dependencies which should be removed:
    implementation(libs.spring.modulith.api)

To Reproduce Steps to reproduce the behavior:

speculatively, a library is used only with annotations that are annotating a package-info class

/**
 * The {@link com.xenoterracide.model.security.user.User} aggregate.
 */
@DomainLayer
@NamedInterface
package com.xenoterracide.model.security.user;

import org.jmolecules.architecture.layered.DomainLayer;
import org.springframework.modulith.NamedInterface;

Expected behavior

no error. implementation is the correct scope.

Additional context

wasn't reported in 1.x

pexa-dnugent commented 1 month ago

I see the same thing with Kotlin-reflect, although the advice here is to make it runtime only. The problem is that if I do that, I get compiler warnings.

autonomousapps commented 1 month ago

Please test the latest version, there have been a lot of changes/fixes around this lately.

autonomousapps / dependency-analysis-gradle-plugin

false positive advice to remove annotation used library #1274