-
Notifications
You must be signed in to change notification settings - Fork 0
Static vs Dynamic Engine
pfranccino edited this page Jun 15, 2026
·
1 revision
All analyses accept --engine static|dynamic|auto (default static).
| static (default) | dynamic | auto | |
|---|---|---|---|
| How it gets dependencies | Parses build.gradle(.kts) with regex/tree-sitter |
Runs gradlew -I <init script> and reads what Gradle resolves |
Dynamic if gradlew is present and configures; otherwise static |
| Accuracy | High for project(...) and accessors |
Full (Version Catalogs, variables, convention plugins) | Best available |
| Requirements | None (pure Python) | JDK + Gradle wrapper at the root | — |
| Speed | Instant | Depends on build configuration | — |
| Safety | Only reads text (safe on untrusted repos) | Executes the project build | Only runs if wrapper is present |
# Absolute truth via Gradle
gradle-externals /path/to/project payments --engine dynamic
# Dynamic when possible, static as fallback
gradle-analyzer /path/to/project/app --engine auto--engine dynamic executes the analyzed project's build (settings, plugins, convention plugins). Use it only on trusted repos.
The static engine (default) never executes anything: it only reads text. This is the safe option for untrusted repos.
The dynamic engine extracts direct declared dependencies per configuration — the faithful equivalent of what the static parser extracts, but with the truth Gradle actually resolves. Therefore:
- ✅ Correctly resolves Version Catalogs (
libs.versions.toml), variables, and convention plugins. - ❌ Does not resolve the transitive graph and requires no network or compilation — it only configures the build.
| Situation | Recommended engine |
|---|---|
| Unknown repo / CI over forks | static |
| Own project with Version Catalogs or convention plugins | dynamic |
| Want the best available without thinking about it | auto |
| No JDK / Gradle wrapper available |
static (dynamic doesn't apply) |