SpringBoot spring-boot-maven-plugin packages unnecessary test dependencies

Spring Boot version 2.7.17

When packaging an application JAR file, spring-boot-maven-plugin adds JARs that are only referenced indirectly via dependencies with test scope.

Example: Suppose your application has the following dependency:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-test</artifactId>
    <scope>test</scope>
</dependency>

Build it and inspect the BOOT-INF/lib directory of the result. spring-boot-starter-test.jar will not be there (correct) but its (possibly indirect) dependency json-smart.jar will be there (incorrect).

It seems that spring-boot-maven-plugin excludes only artifacts with test scope but fails to exclude their transitive dependencies that do not have this scope.

Including unwanted code in the JAR is a kind of a security issue.

Comment From: wilkinsona

I cannot reproduce the behavior that you have described.

        <dependencies>
                <dependency>
                        <groupId>org.springframework.boot</groupId>
                        <artifactId>spring-boot-starter</artifactId>
                </dependency>

                <dependency>
                        <groupId>org.springframework.boot</groupId>
                        <artifactId>spring-boot-starter-test</artifactId>
                        <scope>test</scope>
                </dependency>
        </dependencies>

Packaging a jar using the above pom results in the following entries in BOOT-INF/lib:

  1466649  10-19-2023 06:19   BOOT-INF/lib/spring-boot-2.7.17.jar
  1275641  09-14-2023 07:45   BOOT-INF/lib/spring-context-5.3.30.jar
   384533  09-14-2023 07:45   BOOT-INF/lib/spring-aop-5.3.30.jar
   706239  09-14-2023 07:45   BOOT-INF/lib/spring-beans-5.3.30.jar
   293172  09-14-2023 07:45   BOOT-INF/lib/spring-expression-5.3.30.jar
  1690219  10-19-2023 06:18   BOOT-INF/lib/spring-boot-autoconfigure-2.7.17.jar
   231811  03-23-2023 21:02   BOOT-INF/lib/logback-classic-1.2.12.jar
   448860  03-23-2023 21:02   BOOT-INF/lib/logback-core-1.2.12.jar
    18010  02-23-2022 13:30   BOOT-INF/lib/log4j-to-slf4j-2.17.2.jar
   302511  02-23-2022 13:28   BOOT-INF/lib/log4j-api-2.17.2.jar
     4519  02-08-2022 13:31   BOOT-INF/lib/jul-to-slf4j-1.7.36.jar
    25058  08-02-2019 11:08   BOOT-INF/lib/jakarta.annotation-api-1.3.5.jar
  1489327  02-01-1980 00:00   BOOT-INF/lib/spring-core-5.3.30.jar
    25081  09-14-2023 07:44   BOOT-INF/lib/spring-jcl-5.3.30.jar
   331605  12-14-2021 18:31   BOOT-INF/lib/snakeyaml-1.30.jar
    41125  02-08-2022 13:31   BOOT-INF/lib/slf4j-api-1.7.36.jar
    29514  02-01-1980 00:00   BOOT-INF/lib/spring-boot-jarmode-layertools-2.7.17.jar

If you would like us to spend some more time investigating, please spend some time providing a complete yet minimal sample that reproduces the problem. You can share it with us by pushing it to a separate repository on GitHub or by zipping it up and attaching it to this issue.

Comment From: gbrdead

I am sorry, "mvn dependency:tree" incorrectly stated that json-smart is a dependency only to spring-boot-starter-test while it is a dependency for another non-test artifact, too.