From 1305fb57246a0948d7fb250ca50a19ce544f1417 Mon Sep 17 00:00:00 2001
From: Elliotte Rusty Harold <elharo@ibiblio.org>
Date: Mon, 7 Jul 2025 07:08:27 -0400
Subject: [PATCH 1/2] unconditionally ignore dependencies known to be loaded by
 reflection

---
 .../dependency/analyze/AbstractAnalyzeMojo.java  | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/src/main/java/org/apache/maven/plugins/dependency/analyze/AbstractAnalyzeMojo.java b/src/main/java/org/apache/maven/plugins/dependency/analyze/AbstractAnalyzeMojo.java
index b88675377..0fda8b8a0 100644
--- a/src/main/java/org/apache/maven/plugins/dependency/analyze/AbstractAnalyzeMojo.java
+++ b/src/main/java/org/apache/maven/plugins/dependency/analyze/AbstractAnalyzeMojo.java
@@ -78,7 +78,7 @@ public abstract class AbstractAnalyzeMojo extends AbstractMojo {
     private boolean verbose;
 
     /**
-     * Ignore Runtime/Provided/Test/System scopes for unused dependency analysis.
+     * Ignore runtime/provided/test/system scopes for unused dependency analysis.
      * <p>
      * <code><b>Non-test scoped</b></code> list will be not affected.
      */
@@ -86,7 +86,7 @@ public abstract class AbstractAnalyzeMojo extends AbstractMojo {
     private boolean ignoreNonCompile;
 
     /**
-     * Ignore Runtime scope for unused dependency analysis.
+     * Ignore runtime scope for unused dependency analysis.
      *
      * @since 3.2.0
      */
@@ -211,13 +211,18 @@ public abstract class AbstractAnalyzeMojo extends AbstractMojo {
      * segment is treated as an implicit wildcard. *
      * <p>
      * For example, <code>org.apache.*</code> matches all artifacts whose group id starts with
-     * <code>org.apache.</code>, and <code>:::*-SNAPSHOT</code> will match all snapshot artifacts.
+     * <code>org.apache.</code>, and <code>:::*-SNAPSHOT</code> matches all snapshot artifacts.
      * </p>
      *
+     * <p>Certain dependencies that are known to be used and loaded by reflection
+     * are always ignored. This includes {@code org.slf4j:slf4j-simple::}.</p>
+     *
      * @since 2.10
      */
-    @Parameter(defaultValue = "org.slf4j:slf4j-simple::")
-    private String[] ignoredUnusedDeclaredDependencies;
+    @Parameter
+    private String[] ignoredUnusedDeclaredDependencies = new String[0];
+
+    private String[] unconditionallyIgnoredDeclaredDependencies = {"org.slf4j:slf4j-simple::"};
 
     /**
      * List of dependencies that are ignored if they are in not test scope but are only used in test classes.
@@ -361,6 +366,7 @@ private boolean checkDependencies() throws MojoExecutionException {
 
         ignoredUnusedDeclared.addAll(filterDependencies(unusedDeclared, ignoredDependencies));
         ignoredUnusedDeclared.addAll(filterDependencies(unusedDeclared, ignoredUnusedDeclaredDependencies));
+        ignoredUnusedDeclared.addAll(filterDependencies(unusedDeclared, unconditionallyIgnoredDeclaredDependencies));
 
         if (ignoreAllNonTestScoped) {
             ignoredNonTestScope.addAll(filterDependencies(nonTestScope, new String[] {"*"}));

From c8dcb37be7b27606aff5db1a9970a76cba06bbec Mon Sep 17 00:00:00 2001
From: Elliotte Rusty Harold <elharo@ibiblio.org>
Date: Mon, 7 Jul 2025 08:29:06 -0400
Subject: [PATCH 2/2] docs

---
 ...ependencies-from-dependency-analysis.apt.vm | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/src/site/apt/examples/exclude-dependencies-from-dependency-analysis.apt.vm b/src/site/apt/examples/exclude-dependencies-from-dependency-analysis.apt.vm
index 706127f14..4514937df 100644
--- a/src/site/apt/examples/exclude-dependencies-from-dependency-analysis.apt.vm
+++ b/src/site/apt/examples/exclude-dependencies-from-dependency-analysis.apt.vm
@@ -28,16 +28,18 @@ Exclude dependencies from dependency analysis
   A project's dependencies can be analyzed as part of the build process by binding the <<<dependency:analyze-only>>>
   goal to the lifecycle.  By default, the analysis will be performed during the <<<verify>>> lifecycle phase.  
 
-  In rare cases it is possible to have dependencies that are
-  legitimate on the classpath but cause either "Declared but unused"
-  or "Undeclared but used" warnings. The most common case is with jars
-  that contain annotations and the byte code analysis is unable to
-  determine whether a jar is actually required or not.
+  It is possible to have necessary dependencies on the classpath that
+  cause either "Declared but unused" or "Undeclared but used" warnings.
+  One common cause of byte code analysis being unable to
+  determine whether a jar is required are annotations with
+  source retention. Another common cause is
+  a class that is loaded by reflection at runtime.
 
-  The plugin can then be configured to ignore dependencies that are
-  "declared but unused", "undeclared but used", and "non-test scoped"
-  in selected list or in all simultaneously.
+  The dependency plugin does not warn about a few common dependencies
+  where its analysis is known to be unreliable, most notably SLF4J.
 
+  If you encounter other false positives, you can configure the plugin to ignore particular
+  dependencies that are "declared but unused", "undeclared but used", and "non-test scoped".
   See the following POM configuration for an example:
 
 +---+