search

spring-gradle-plugins / dependency-management-plugin

A Gradle plugin that provides Maven-like dependency management functionality
684 stars 85 forks source link

When a dependency has been substituted by changing its target, its version is managed based on its original group and artifact IDs #383

Closed cpuzicha closed 2 months ago

cpuzicha commented 2 months ago

We have a local plugin-infrastructure that wants to replace BouncyCastle for JDK 1.5 with BouncyCastle for JDK 1.8 due to CVEs. However the Spring dependency management plugin for some reason triggers a download of the new module (bcprov-jdk18on) with the old version (1.7.0) - and fails.

The error shows up for the tasks dependencies, dependencyInsight and everything compilation related, like assemble.

build.gradle.kts

buildscript {
  project.configurations.all {
    resolutionStrategy.eachDependency {
      if (requested.group == "org.bouncycastle" && requested.name == "bcprov-jdk15on") {
        useTarget("org.bouncycastle:bcprov-jdk18on:1.78.1")
      }
    }
  }
}

plugins {
  `java-library`
  id("io.spring.dependency-management") version "1.1.4"
}

version = "1.0.0"
group = "com.raytion.test"

repositories {
  mavenCentral()
}

dependencies {
  implementation("org.bouncycastle:bcprov-jdk15on:1.70")
}

src/main/java/ForceCompile.java

class ForceCompile {}

Applying the substitution after the Spring plugin would work but should not make a difference and is not viable workaround for us.

build.gradle.kts - working version

plugins {
  `java-library`
  id("io.spring.dependency-management") version "1.1.4"
}

version = "1.0.0"
group = "com.raytion.test"

repositories {
  mavenCentral()
}

configurations.all {
  resolutionStrategy.eachDependency {
    if (requested.group == "org.bouncycastle" && requested.name == "bcprov-jdk15on") {
      useTarget("org.bouncycastle:bcprov-jdk18on:1.78.1")
    }
  }
}

dependencies {
  implementation("org.bouncycastle:bcprov-jdk15on:1.70")
}
wilkinsona commented 2 months ago

It would appear that the plugin hasn't noticed that the dependency has been substituted. It's ensuring that its version is 1.70 due to this behaviour that's described in the documentation. It can be disabled:

dependencyManagement {
    overriddenByDependencies(false)
}

It may be possible for the plugin to detect a substitution and adapt accordingly so that the above workaround isn't necessary.

cpuzicha commented 2 months ago

The given example is just a condensed version - we can't don't want to globally disable overriddenByDependencies

wilkinsona commented 2 months ago

Understood, hence me describing it as a workaround above, but I believe it's your only option until we know if it's possible for the plugin to give some special treatment to substituted dependencies. It'll depend on the information that Gradle's APIs make available to the plugin.