Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When a dependency has been substituted by changing its target, its version is managed based on its original group and artifact IDs #383

Closed
cpuzicha opened this issue Apr 30, 2024 · 3 comments
Closed

When a dependency has been substituted by changing its target, its version is managed based on its original group and artifact IDs #383

cpuzicha opened this issue Apr 30, 2024 · 3 comments
Labels
type: bug
Milestone
1.1.5

Comments

@cpuzicha
Copy link

We have a local plugin-infrastructure that wants to replace BouncyCastle for JDK 1.5 with BouncyCastle for JDK 1.8 due to CVEs.
However the Spring dependency management plugin for some reason triggers a download of the new module (bcprov-jdk18on) with the old version (1.7.0) - and fails.

The error shows up for the tasks dependencies, dependencyInsight and everything compilation related, like assemble.

build.gradle.kts

buildscript {
  project.configurations.all {
    resolutionStrategy.eachDependency {
      if (requested.group == "org.bouncycastle" && requested.name == "bcprov-jdk15on") {
        useTarget("org.bouncycastle:bcprov-jdk18on:1.78.1")
      }
    }
  }
}

plugins {
  `java-library`
  id("io.spring.dependency-management") version "1.1.4"
}

version = "1.0.0"
group = "com.raytion.test"

repositories {
  mavenCentral()
}

dependencies {
  implementation("org.bouncycastle:bcprov-jdk15on:1.70")
}

src/main/java/ForceCompile.java

class ForceCompile {}

Applying the substitution after the Spring plugin would work but should not make a difference and is not viable workaround for us.

build.gradle.kts - working version

plugins {
  `java-library`
  id("io.spring.dependency-management") version "1.1.4"
}

version = "1.0.0"
group = "com.raytion.test"

repositories {
  mavenCentral()
}

configurations.all {
  resolutionStrategy.eachDependency {
    if (requested.group == "org.bouncycastle" && requested.name == "bcprov-jdk15on") {
      useTarget("org.bouncycastle:bcprov-jdk18on:1.78.1")
    }
  }
}

dependencies {
  implementation("org.bouncycastle:bcprov-jdk15on:1.70")
}
@wilkinsona
Copy link
Contributor

It would appear that the plugin hasn't noticed that the dependency has been substituted. It's ensuring that its version is 1.70 due to this behaviour that's described in the documentation. It can be disabled:

dependencyManagement {
    overriddenByDependencies(false)
}

It may be possible for the plugin to detect a substitution and adapt accordingly so that the above workaround isn't necessary.

@wilkinsona wilkinsona changed the title Crash on dependency substitution for unmanaged dependency When a dependency has been substituted, its version may be managed based on its old group and artifact IDs Apr 30, 2024
@wilkinsona wilkinsona added this to the 1.1.x milestone Apr 30, 2024
@cpuzicha
Copy link
Author

The given example is just a condensed version - we can't don't want to globally disable overriddenByDependencies

@wilkinsona
Copy link
Contributor

Understood, hence me describing it as a workaround above, but I believe it's your only option until we know if it's possible for the plugin to give some special treatment to substituted dependencies. It'll depend on the information that Gradle's APIs make available to the plugin.

@wilkinsona wilkinsona changed the title When a dependency has been substituted, its version may be managed based on its old group and artifact IDs When a dependency has been substituted by changing its target, its version is managed based on its original group and artifact IDs May 2, 2024
@wilkinsona wilkinsona modified the milestones: 1.1.x, 1.1.5 May 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug
Projects
None yet
Milestone
1.1.5
Development

No branches or pull requests
3 participants
@wilkinsona @spring-projects-issues @cpuzicha