Instant, fully offline dependency analysis for Spring Boot, Maven & Gradle projects — right inside VS Code.
Spring Toolkit AI scans your pom.xml or build.gradle and surfaces CVEs, version conflicts, outdated libraries, deprecated artifacts, license issues, and compatibility problems — with zero internet access required after install.
Features
Vulnerability Scanner (CVE / OWASP)
Matches your dependencies against a built-in CVE database covering Log4Shell, Spring4Shell, Spring Security bypasses, SnakeYAML DoS, H2 RCE, and 25+ critical Java ecosystem vulnerabilities. Results appear instantly in the Problems panel and the Vulnerabilities tree view.
Version Conflict Detector
Detects when the same artifact is declared at multiple versions across your dependency graph, shows the conflicting declarations, and explains Maven's nearest-wins resolution strategy.
Upgrade Advisor
Flags outdated dependencies and classifies each upgrade as patch / minor / major, marks breaking changes, and links to migration notes — covering Spring Boot 2→3, Spring Security 5→6, Hibernate 5→6, Log4j 1.x→2.x, Flyway 8→9, and more.
Deprecation Checker
Identifies end-of-life artifacts (Netflix Hystrix, Ribbon, Zuul, Spring Security OAuth, javax.* namespace) and recommends their modern replacements.
License Analyzer
Detects copyleft licenses (GPL, LGPL, AGPL) in your dependency tree using the SPDX registry and warns you before distribution obligations sneak into your project.
Compatibility Matrix
Cross-checks your dependency versions against known incompatibilities:
- Spring Boot 3.x requires Java 17+ and Jakarta EE 9+ (
jakarta.* namespace)
- Springfox incompatibility with Spring Boot 2.6+
- Tomcat 9 vs Tomcat 10 namespace split
- Spring Cloud release train alignment
Interactive Dependency Graph
Force-directed graph rendering (no internet, no CDN) with:
- Colour-coded severity (vulnerability / conflict / upgrade / healthy)
- Filter by scope, severity, and depth
- Search and highlight
- Click-through to dependency detail panel
Health Score
A 0–100 score summarising the overall dependency health of your project, shown in the VS Code status bar at all times.
VS Code Problems Panel Integration
Every vulnerability, conflict, and compatibility issue is written directly to the Problems panel (View → Problems) so you can see them alongside your source errors.
Report Export
Export full analysis reports as HTML, Markdown, JSON, or CSV for sharing with your team or attaching to pull requests.
Supported Technologies
| Category |
Technologies |
| Build Systems |
Maven (pom.xml), Gradle Groovy, Gradle Kotlin DSL, Version Catalogs (libs.versions.toml) |
| Frameworks |
Spring Boot, Spring Cloud, Spring Security, Spring Data, Spring Batch, Spring AI |
| Persistence |
Hibernate ORM, Spring Data JPA, Flyway, Liquibase |
| Messaging |
Apache Kafka, ActiveMQ, Apache Camel |
| Observability |
Micrometer, Spring Boot Actuator |
| API / Docs |
Springdoc OpenAPI, Springfox (deprecated) |
| Resilience |
Resilience4j, Spring Circuit Breaker |
| Servers |
Apache Tomcat, Undertow, Netty |
| Cloud |
AWS SDK v1/v2, Google Cloud, Azure SDK |
| Testing |
JUnit 5, Mockito, AssertJ, Testcontainers |
Getting Started
- Open a Maven or Gradle project in VS Code (any folder containing
pom.xml or build.gradle)
- The extension activates automatically and runs an initial analysis
- Click the Dependency Doctor icon in the Activity Bar to open the sidebar
- Results appear in six tree views: Dependencies, Vulnerabilities, Conflicts, Upgrades, Deprecated, Licenses
Manual Analysis
- Click the search icon (⌕) in the Dependencies tree view header
- Run
Dependency Doctor: Analyze Workspace from the Command Palette (Ctrl+Shift+P)
- Keyboard shortcut:
Ctrl+Shift+D A
Requirements
- VS Code 1.85 or later
- A workspace containing
pom.xml, build.gradle, or build.gradle.kts
- No internet connection required — all analysis runs 100% locally
Extension Settings
| Setting |
Default |
Description |
dependencyDoctor.enabled |
true |
Enable / disable the analysis engine |
dependencyDoctor.analyzeOnSave |
true |
Re-analyse when a build file is saved |
dependencyDoctor.severityThreshold |
low |
Minimum severity to surface in views |
dependencyDoctor.cacheTTLMinutes |
30 |
In-memory cache lifetime |
dependencyDoctor.fileCacheTTLDays |
7 |
Disk cache lifetime |
dependencyDoctor.maxTransitiveDepth |
10 |
Max depth for transitive resolution |
dependencyDoctor.defaultReportFormat |
html |
Export format (html/json/markdown/csv) |
dependencyDoctor.excludePaths |
["**/target/**", ...] |
Paths to exclude from project discovery |
dependencyDoctor.logLevel |
info |
Output channel verbosity |
Privacy
Spring Toolkit AI performs all analysis locally on your machine. It does not transmit your source code, dependency lists, or any project data to any external server. The built-in knowledge base (CVE database, deprecation data, compatibility rules) ships with the extension and does not require an internet connection to function.
Known Limitations
- Transitive dependency resolution is based on declared dependencies only;
mvn dependency:tree output is not used
- BOMs imported via
<scope>import</scope> in <dependencyManagement> are resolved by following the local repository; remote-only BOMs fall back to declared versions
- Gradle
.kts and TOML version catalog support covers common patterns; complex dynamic versions are normalised to their literal string
Changelog
See CHANGELOG.md.
License
MIT
