I am using proguard-maven-plugin in my multi-module maven project with spring boot. By no means, I am not an expert and still learning how to make use of all features provided with ProGuard, so bear with me. ProGuard dependency:
<groupId>com.github.wvengen</groupId>
<artifactId>proguard-maven-plugin</artifactId>
<version>2.1.1</version>
Final product is a .jar file which is depending on a successfully obfuscated module with core functionalities . After compiling and packaging the product jar with maven, its structure looks like (using jd-gui-1.6.6 to inspect the content of product jar):
BOOT-INF
|_classes
|_com.my.package
|_a(ObfuscatedModule package after obfuscation)
|_b.class
|_c.class
|_...
|_Main.class
|_...
|_lib
|_ObfuscatedModule.jar
|_NonObfuscatedClass1.class
|_NonObfuscatedClass2.class
|_NonObfuscatedClass3.class
|_...
META-INF
org.springframework.boot.loader
Since the point of obfuscation is to hide the module with core functionalities, I would like to also exclude from the lib directory inside the product jar. After going through the proguard examples, I haven't found the way to do it. Is it possible to exclude or at least obfuscate the core .jar module in /lib ?
EDIT: I have tried to bypass generating a separate folder with dependencies by using maven-shade-plugin, creating an uber JAR. When used, it adds all the dependencies to the classpath and afterwards ProGuard plugin is used to obfuscate what needs to be obfuscated. Structure of the project looks satisfying, with the dependencies added to classpath and obfuscated correctly. But when I try to run the shaded jar, I keep getting the following error:
Error: Could not find or load main class com.my.package.Main
The Main class is found in the jar and I know it's not related to the initial issue, but I have resorted to every possible solution found on SO and internet - no luck.
So, after a bit of struggle, I found a solution to my issue. Firstly, I added a <scope/> of "provided" (link to docs) to the dependencies I wanted out of the lib folder :
<dependency>
<groupId>com.myCompany</groupId>
<artifactId>module_to_be_excluded</artifactId>
<version>${project.version}</version>
<scope>provided</scope>
</dependency>
Afterwards, I ran mvn clean install and inspected the output .jar, but the dependencies were still found in the lib folder. Missing piece was adding <excludeGroupIds>com.myCompany</excludeGroupIds>in spring-boot-maven-plugin inside the pom.xml of the module that was being obfuscated:
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<fork>true</fork>
<skip>false</skip>
<profiles>dev</profiles>
<excludeGroupIds>com.myCompany</excludeGroupIds>
</configuration>
...
Reason why modules with groupId = com.myCompany are being excluded is because some of the modules that are being developed are also being obfuscated (hence the same groupId). There is no point in obfuscating code which someone can easily inspect, while also finding those unobfuscated jars in the lib folder.