Rob Watts Rob Watts - 3 years ago 143
Java Question

How do I replace a dependency of a dependency in gradle?

I'm working with a Java project that is using a library that has a dependency on a library with a security vulnerability. Unfortunately, the updated version of the vulnerable library does not have the same group. Basically, the library

org.reallyuseful.library:usefulstuff:1.0
depends on
org.vulnerable.dependency:dependency:1.0
, but the vulnerability has been fixed in
org.secure.dependency:dependency:1.1
.

In Gradle, how do I tell
usefulstuff:1.0
to use
org.secure.dependency:dependency:1.1
instead of
org.vulnerable.dependency:dependency:1.0
?

Answer Source

You can explicitly declare a dependency on org.secure.dependency:dependency:1.1 like implementation("org.secure.dependency:dependency:1.1") in your build file. The dependency version you specified will be have precedence over the transitive dependency.

Another option might be to specify an exclude rule to make sure that the dependency is not brought in (see example)

I think the best pattern would we to use the tools provided from the Dependency Management section of the user guide. In this case, you should be able to use the resolutionStrategy API. You can substitute the desired dependency for the originally requested one.

This example configures a resolution rule for every Configuration:

configurations.all {
  resolutionStrategy.eachDependency { DependencyResolveDetails details ->
    if (details.requested.group == "org.vulnerable.dependency"
        && details.requested.name == "dependency"
        && details.requested.version == "1.0") {
      details.useTarget("org.secure.dependency:dependency:1.1")
    }
  }
}

The Gradle user guide also has an example where only the version is changed, and an example which is very similar to the above snippet (and your use case).

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download