Produced web application archive (gradle assemble) contains a lot of unnecessary dependencies

[davidkron]

So, I am currently analyzing and upgrading some application dependencies, which appeared in our dependency check software. During the research I also discovered, that the resulting war file of a Grails application contains a lot of dependencies, which IMHO should not be part of a production web application artifact. For example, I personally would not expect it to contain anything that is related to CLI stuff or testing.

Some dependencies I found in the resulting artifact of a newly created Grails application were:

• Ant
• Picocli
• JUnit
• TestNG
• spring-test
• opentest4j

The list is not finite, there might be more.
This might also be related to #11753 which always includes H2 and HSQLDB even though it is not specified in build.gradle.

Is this expected?
Or am I missing something in my train of thought?

Task List

• Steps to reproduce provided
• Stacktrace (if present) provided
• Example that reproduces the problem uploaded to Github
• Full description of the issue provided (see below)

Steps to Reproduce

1. sdk install grails 5.0.1
2. sdk use grails 5.0.1
3. grails create-app myapp
4. cd myapp
5. ./gradlew assemble

Expected Behaviour

Production web archive should contain only necessary dependencies.

Actual Behaviour

$ unzip -t ./build/libs/myapp-0.1.war | egrep 'ant|junit|picocli|opentest4j|spring-test|testng'
    testing: WEB-INF/lib/groovy-ant-3.0.7.jar   OK
    testing: WEB-INF/lib/groovy-cli-picocli-3.0.7.jar   OK
    testing: WEB-INF/lib/groovy-test-junit5-3.0.7.jar   OK
    testing: WEB-INF/lib/groovy-testng-3.0.7.jar   OK
    testing: WEB-INF/lib/spring-test-5.3.12.jar   OK
    testing: WEB-INF/lib/ant-junit-1.10.9.jar   OK
    testing: WEB-INF/lib/ant-1.10.12.jar   OK
    testing: WEB-INF/lib/junit-4.13.2.jar   OK
    testing: WEB-INF/lib/antlr-2.7.7.jar   OK
    testing: WEB-INF/lib/ant-launcher-1.10.12.jar   OK
    testing: WEB-INF/lib/ant-antlr-1.10.9.jar   OK
    testing: WEB-INF/lib/junit-platform-launcher-1.7.2.jar   OK
    testing: WEB-INF/lib/junit-jupiter-engine-5.7.2.jar   OK
    testing: WEB-INF/lib/junit-platform-engine-1.7.2.jar   OK
    testing: WEB-INF/lib/junit-jupiter-api-5.7.2.jar   OK
    testing: WEB-INF/lib/junit-platform-commons-1.7.2.jar   OK
    testing: WEB-INF/lib/picocli-4.6.1.jar   OK
    testing: WEB-INF/lib/testng-7.3.0.jar   OK
    testing: WEB-INF/lib/opentest4j-1.2.0.jar   OK

Environment Information

• Operating System: Windows 11
• Grails Version: 5.0.1 (I think in Grails 4.x aswell)
• JDK Version: 11

[jeffscottbrown]

FYI... If you review the Gradle dependency report in a project you can evaluate the paths to transitive dependencies which can be helpful in identifying things that need to be there and help identify things that likely don't need to be there.

[davidkron]

@jeffbrown Thank you for the suggestion. I tried to analyze a bit where the dependencies are coming from, but I am not 100%
confident about me understanding it completely. But maybe this can help for further investigation.

I did try to aggregate the relevant parts of gradle dependencies for the mentioned dependencies from my initial comment. I was not 100% sure which configuration was relevant for building the final application artifact, but my guess would generally be runtimeClasspath. Also there seems to exist a configuration productionRuntimeClasspath, which is added by Spring Boot and doesn't include developmentOny dependencies, so this seemed like it might actually be the candidate to analyze the dependencies.

I did run gradle dependencies for a newly created Grails 5.0.1 application (grails create-app).

It seems like a lot of those dependencies are initially included by org.grails.plugins:cache, which depends on gpars which in turn includes groovy-all. Also grails-plugin-url-mappings seems to pull in junit and org.grails:grails-plugin-i18n is doing the same with groovy-ant. spring-test seems to be necessary in a lot of Grails plugins, so maybe this is actually needed, but it still seems suspicious to me.

Also some dependencies are referenced in BOM-dependencies, but I presume those only define the versions of dependencies and will not actively pull them into the application.

ant

productionRuntimeClasspath
+--- org.grails:grails-core -> 5.0.1
|    +--- io.micronaut.spring:micronaut-spring-context:4.0.0
|    |    +--- io.micronaut.spring:micronaut-spring:4.0.0
|    |    |    +--- io.micronaut:micronaut-bom:3.0.0-RC1 -> 3.0.3
|    |    |    |    +--- org.codehaus.groovy:groovy-bom:3.0.7
|    |    |    |    |    +--- org.codehaus.groovy:groovy-ant:3.0.7 (c)
|    +--- org.apache.ant:ant:1.10.12
+--- org.grails:grails-plugin-rest -> 5.0.1
|    +--- org.grails:grails-plugin-controllers:5.0.1
|    |    \--- org.grails:grails-plugin-i18n:5.0.1
|    |         \--- org.codehaus.groovy:groovy-ant:3.0.7
|    |              +--- org.apache.ant:ant:1.10.9 -> 1.10.12 (*)

picocli

productionRuntimeClasspath
+--- org.grails:grails-core -> 5.0.1
|    +--- io.micronaut.spring:micronaut-spring-context:4.0.0
|    |    +--- io.micronaut.spring:micronaut-spring:4.0.0
|    |    |    +--- io.micronaut:micronaut-bom:3.0.0-RC1 -> 3.0.3
|    |    |    |    \--- info.picocli:picocli:4.6.1 (c)
+--- org.grails.plugins:cache -> 4.0.3
|    +--- org.codehaus.gpars:gpars:1.2.0
|    |    \--- org.codehaus.groovy:groovy-all:2.1.9 -> 3.0.7
|    |         +--- org.codehaus.groovy:groovy-cli-picocli:3.0.7
|    |         |    \--- info.picocli:picocli:4.5.2 -> 4.6.1

junit

productionRuntimeClasspath
+--- org.grails:grails-core -> 5.0.1
|    +--- io.micronaut.spring:micronaut-spring-context:4.0.0
|    |    +--- io.micronaut.spring:micronaut-spring:4.0.0
|    |    |    +--- io.micronaut:micronaut-bom:3.0.0-RC1 -> 3.0.3
|    |    |    |    +--- org.junit:junit-bom:5.7.2
|    |    |    |    +--- io.micronaut.test:micronaut-test-bom:3.0.2
|    |    |    |    |    +--- org.junit:junit-bom:5.7.2 (*)
+--- org.grails:grails-plugin-url-mappings -> 5.0.1
|    \--- junit:junit:4.13.2
+--- org.grails.plugins:cache -> 4.0.3
|    +--- org.codehaus.gpars:gpars:1.2.0
|    |    \--- org.codehaus.groovy:groovy-all:2.1.9 -> 3.0.7
|    |         +--- org.codehaus.groovy:groovy-test-junit5:3.0.7
|    |         |    +--- org.codehaus.groovy:groovy:3.0.7
|    |         |    +--- org.junit.jupiter:junit-jupiter-api:5.7.0 -> 5.7.2
|    |         |    |    \--- org.junit.platform:junit-platform-commons:1.7.2
|    |         |    |         \--- org.junit:junit-bom:5.7.2 (*)
|    |         |    +--- org.junit.platform:junit-platform-launcher:1.7.0 -> 1.7.2
|    |         |    |    \--- org.junit.platform:junit-platform-engine:1.7.2
|    |         |    |         +--- org.junit:junit-bom:5.7.2 (*)
|    |         |    \--- org.junit.jupiter:junit-jupiter-engine:5.7.0 -> 5.7.2
|    |         |         +--- org.junit:junit-bom:5.7.2 (*)

groovy-test-junit5

productionRuntimeClasspath
+--- org.grails:grails-core -> 5.0.1
|    +--- io.micronaut.spring:micronaut-spring-context:4.0.0
|    |    +--- io.micronaut.spring:micronaut-spring:4.0.0
|    |    |    +--- io.micronaut:micronaut-bom:3.0.0-RC1 -> 3.0.3
|    |    |    |    +--- org.codehaus.groovy:groovy-bom:3.0.7
|    |    |    |    |    +--- org.codehaus.groovy:groovy-test-junit5:3.0.7 (c)
+--- org.grails.plugins:cache -> 4.0.3
|    +--- org.codehaus.gpars:gpars:1.2.0
|    |    \--- org.codehaus.groovy:groovy-all:2.1.9 -> 3.0.7
|    |         +--- org.codehaus.groovy:groovy-test-junit5:3.0.7

groovy-testng

productionRuntimeClasspath
+--- org.grails:grails-core -> 5.0.1
|    +--- io.micronaut.spring:micronaut-spring-context:4.0.0
|    |    +--- io.micronaut.spring:micronaut-spring:4.0.0
|    |    |    +--- io.micronaut:micronaut-bom:3.0.0-RC1 -> 3.0.3
|    |    |    |    +--- org.codehaus.groovy:groovy-bom:3.0.7
|    |    |    |    |    +--- org.codehaus.groovy:groovy-testng:3.0.7 (c)
+--- org.grails.plugins:cache -> 4.0.3
|    +--- org.codehaus.gpars:gpars:1.2.0
|    |    \--- org.codehaus.groovy:groovy-all:2.1.9 -> 3.0.7
|    |         +--- org.codehaus.groovy:groovy-testng:3.0.7

spring-test

productionRuntimeClasspath
+--- org.grails:grails-web-boot -> 5.0.1
|    +--- org.springframework:spring-test:5.3.12
|    \--- org.grails:grails-web-common:5.0.1
|         +--- org.springframework:spring-test:5.3.12 (*)
+--- org.grails:grails-plugin-rest -> 5.0.1
|    +--- org.springframework:spring-test:5.3.12 (*)
|    +--- org.grails:grails-web:5.0.1
|    |    +--- org.springframework:spring-test:5.3.12 (*)
|    |    +--- org.grails:grails-web-databinding:5.0.1
|    |    |    +--- org.springframework:spring-test:5.3.12 (*)
|    |    +--- org.grails:grails-web-fileupload:5.0.1
|    |    |    +--- org.springframework:spring-test:5.3.12 (*)
|    |    +--- org.grails:grails-web-url-mappings:5.0.1
|    |    |    +--- org.springframework:spring-test:5.3.12 (*)
|    |    +--- org.grails:grails-web-mvc:5.0.1
|    |    |    +--- org.springframework:spring-test:5.3.12 (*)
|    +--- org.grails:grails-plugin-controllers:5.0.1
|    |    +--- org.springframework:spring-test:5.3.12 (*)
|    |    +--- org.grails:grails-plugin-mimetypes:5.0.1
|    |    |    +--- org.springframework:spring-test:5.3.12 (*)
|    |    +--- org.grails:grails-plugin-validation:5.0.1
|    |    |    +--- org.springframework:spring-test:5.3.12 (*)
|    |    +--- org.grails:grails-plugin-domain-class:5.0.1
|    |    |    +--- org.springframework:spring-test:5.3.12 (*)
|    |    \--- org.grails:grails-plugin-i18n:5.0.1
|    |         +--- org.springframework:spring-test:5.3.12 (*)
|    +--- org.grails:grails-plugin-datasource:5.0.1
|    |    +--- org.springframework:spring-test:5.3.12 (*)
+--- org.grails:grails-plugin-databinding -> 5.0.1
|    +--- org.springframework:spring-test:5.3.12 (*)
+--- org.grails:grails-plugin-services -> 5.0.1
|    +--- org.springframework:spring-test:5.3.12 (*)
+--- org.grails:grails-plugin-url-mappings -> 5.0.1
|    +--- org.springframework:spring-test:5.3.12 (*)
+--- org.grails:grails-plugin-interceptors -> 5.0.1
|    +--- org.springframework:spring-test:5.3.12 (*)
+--- org.grails.plugins:gsp -> 5.0.1
|    +--- org.grails:grails-plugin-codecs:5.0.0 -> 5.0.1
|    |    +--- org.springframework:spring-test:5.3.12 (*)

opentest4j

productionRuntimeClasspath
+--- org.grails.plugins:cache -> 4.0.3
|    +--- org.codehaus.gpars:gpars:1.2.0
|    |    \--- org.codehaus.groovy:groovy-all:2.1.9 -> 3.0.7
|    |         +--- org.codehaus.groovy:groovy-test-junit5:3.0.7
|    |         |    +--- org.junit.jupiter:junit-jupiter-api:5.7.0 -> 5.7.2
|    |         |    |    +--- org.opentest4j:opentest4j:1.2.0
|    |         |    +--- org.junit.platform:junit-platform-launcher:1.7.0 -> 1.7.2
|    |         |    |    \--- org.junit.platform:junit-platform-engine:1.7.2
|    |         |    |         +--- org.opentest4j:opentest4j:1.2.0