Java dependency management: how many lines of code does my application hold?

A few weeks ago I had the opportunity to give a presentation for the Dutch Java Conference JSpring. The talk was about Java dependency management.

During this talk, I created a simple Spring Boot application and determined the number of lines my java dependencies brought in versus the number of lines I wrote myself. This was to show that your dependencies occupy a large space in your application and need attention too. After the presentation, I published the following tweet that gained a lot of attention and incentivized me to draft this blog post:

Getting the number of lines my Java dependencies bring in

Step1: Generate a Spring Boot application

First of all, I created a Spring Boot application using the Spring Boot Initialzr with web as the only dependency.

This basically means that my project contains spring-boot-starter-web as its only direct dependency.

Step2: Create a Rest controller

Next, I wrote the simplest 4-line REST-endpoint you could think of:

@RestController
public class Controller {

   @GetMapping("/hello")
   public String hello() {  return "hello"; }
}

Step 3: Build the deployable jar

The jar file that is created out of this Java project is a fat jar containing all the jars the project depends on. This is because Spring Boot basically includes the application server with the application itself.

Step 4: Analyse the jar

The next thing I did was to build a simple application that consumes the created Spring Boot jar. It unpacks the jar file and all of the dependencies it holds. All the class files within the jars are decompiled and the lines of code are counted.

Step 5: Collect the results

• Lines of code written: 4

• Jars: 33

• Class files: 9917

• Lines of code: 518772

Some notes on the numbers

The numbers shown above are far from accurate. White lines and lines with a single bracket are omitted so they did not show up in the final count.

It is debatable if we need to analyze these lines better and omit even more, if we want the numbers to be more accurate. In addition, different decompilers will give you different results.

I consider this more of a pseudoscience. Although the numbers are not accurate, it does show the large role dependencies play within our applications. This was my intention.

Take care of your Java dependencies

Ok, the numbers are large, but what does this example actually tell us? First of all, using Spring Boot for a hello world application is overkill. Secondly, Spring Boot is an application server so these large numbers are expected, right?

All these remarks are true. This was the most useless Rest endpoint you could ever write, I agree. However, this emphasizes the fact that dependencies make up for a large percentage of the binary we put into production. As Spring Boot is a framework that is used by tons of Java developers, I deliberately chose it for this example.

Think about it. In this example, the lines of code I wrote is far less than 1% of the total lines of code we push to production. Yet, as a team we are responsible for all of it. If something goes wrong with the application the development team needs to solve it. Having things like code reviewing, pair-programming and automatic static analysis in place definitely helps creating a better codebase. But what about the 99% of the code we use and depend on heavily.

Taking care of your dependencies and upgrading them on time is essential. Importing one package results in many dependencies and many possible attack factors. Creating a java dependency management strategy on how dependencies get picked, updated, and removed is something every development team should consider. From a security perspective, you should at least be warned if one of your dependencies or transitive dependencies has a vulnerability.

Scanning your application using Snyk to detect vulnerabilities in your open source dependencies can help you with this. As Snyk can be used in every step of your Software Development Life Cycle (SDLC) and is highly adaptable, it is perfect for automation. Snyk does not only detect vulnerabilities—it helps detect vulnerabilities as early as possible.

Conclusion

Taking good care of our code is not always enough—we should also keep an eye on our dependencies as they play a huge role in our applications.

By scanning your dependencies with tools like Snyk, vulnerabilities in your dependencies will not slip in unnoticed. Furthermore, implementing a solid java dependency management strategy is crucial in keeping your application maintainable, scalable, predictable, and, most importantly, safe!