Automatic Specialization of Third-Party Java Dependencies

TL;DR

This paper introduces DepTrim, a technique and tool for automatically specializing Java dependencies by removing unused code, thereby reducing third-party code footprint and improving maintainability and security.

Contribution

It presents a novel systematic approach to identify and package only the necessary parts of dependencies, enabling more efficient and secure Java project builds.

Findings

Specialized dependencies reduce total classes by 42.2%.

DepTrim successfully rebuilds all evaluated projects with specialized dependencies.

Dependency class ratio decreases from 8.7x to 5.0x after specialization.

Abstract

Large-scale code reuse significantly reduces both development costs and time. However, the massive share of third-party code in software projects poses new challenges, especially in terms of maintenance and security. In this paper, we propose a novel technique to specialize dependencies of Java projects, based on their actual usage. Given a project and its dependencies, we systematically identify the subset of each dependency that is necessary to build the project, and we remove the rest. As a result of this process, we package each specialized dependency in a JAR file. Then, we generate specialized dependency trees where the original dependencies are replaced by the specialized versions. This allows building the project with significantly less third-party code than the original. As a result, the specialized dependencies become a first-class concept in the software supply chain, rather than a transient artifact in an optimizing compiler toolchain. We implement our technique in a tool called DepTrim, which we evaluate with 30 notable open-source Java projects. DepTrim specializes a total of 343 (86.6%) dependencies across these projects, and successfully rebuilds each project with a specialized dependency tree. Moreover, through this specialization, DepTrim removes a total of 57,444 (42.2%) classes from the dependencies, reducing the ratio of dependency classes to project classes from 8.7x in the original projects to 5.0x after specialization. These novel results indicate that dependency specialization significantly reduces the share of third-party code in Java projects.