Java Project Dependency clarification - maven

I have Gradle project A which has another dependency module B (maven).
In Gradle project A dependency tree I can see below
+--- org.seleniumhq.selenium:selenium-api:3.141.59 -> 4.1.4
| | | +--- org.seleniumhq.selenium:selenium-chrome-driver:3.141.59 -> 4.1.4 (*)
| | | +--- org.seleniumhq.selenium:selenium-edge-driver:3.141.59 -> 4.1.4 (*)
I have few questions here:
So with above dep tree (i.e. 3.141.59 -> 4.1.4 (*) ), which version is the used one? I know (*) - dependencies omitted (listed previously)
If the used one here is 3.141.59, how should I use 4.1.4 instead?
Note : I can see in maven module B version is having 3.141.59.
Dep tree doesn't show clearly where does 4.1.4 version come from. As per the below tree snippets it comes under org.seleniumhq.selenium:selenium-server:3.141.59
:
| +--- org.seleniumhq.selenium:selenium-server:3.141.59
| | | +--- org.seleniumhq.selenium:selenium-java:3.141.59 -> 4.1.4
| | | | +--- org.seleniumhq.selenium:selenium-api:4.1.4
| | | | +--- org.seleniumhq.selenium:selenium-chrome-driver:4.1.4
| | | | | +--- com.google.auto.service:auto-service-annotations:1.0.1
| | | | | +--- com.google.auto.service:auto-service:1.0.1
| | | | | | +--- com.google.auto.service:auto-service-annotations:1.0.1
| | | | | | +--- com.google.auto:auto-common:1.2
| | | | | | | \--- com.google.guava:guava:31.0.1-jre -> 31.1-jre (*)
| | | | | | \--- com.google.guava:guava:31.0.1-jre -> 31.1-jre (*)
| | | | | +--- com.google.guava:guava:31.1-jre (*)
| | | | | +--- org.seleniumhq.selenium:selenium-api:4.1.4
| | | | | +--- org.seleniumhq.selenium:selenium-chromium-driver:4.1.4
| | | | | | +--- com.google.auto.service:auto-service-annotations:1.0.1
| | | | | | +--- com.google.auto.service:auto-service:1.0.1 (*)
| | | | | | +--- com.google.guava:guava:31.1-jre (*)
| | | | | | +--- org.seleniumhq.selenium:selenium-json:4.1.4
| | | | | | | \--- org.seleniumhq.selenium:selenium-api:4.1.4
| | | | | | \--- org.seleniumhq.selenium:selenium-remote-driver:4.1.4
In the dep tree what's the difference between
org.seleniumhq.selenium:selenium-java:3.141.59 -> 4.1.4
and
org.seleniumhq.selenium:selenium-java:3.141.59 -> 4.1.4 (*)

Related

jetty-http issue on camel-jetty-starter

I got this vulnerability on my gradle.build,
jetty-http-9.4.46.v20220331.jar | Reference: CVE-2022-2047 | CVSS Score: 2.7 | Category: CWE-20 | In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
It's coming from this,
implementation 'org.apache.camel.springboot:camel-jetty-starter:3.14.5'
For when I check the gradle dependencies,
--- org.apache.camel.springboot:camel-jetty-starter:3.14.5
| +--- org.springframework.boot:spring-boot-starter:2.6.10 -> 2.7.0 (*)
| +--- org.apache.camel:camel-jetty:3.14.5
| | +--- org.apache.camel:camel-support:3.14.5 (*)
| | +--- org.apache.camel:camel-http-common:3.14.5
| | | +--- org.apache.camel:camel-http-base:3.14.5
| | | | \--- org.apache.camel:camel-support:3.14.5 (*)
| | | +--- org.apache.camel:camel-cloud:3.14.5 (*)
| | | +--- org.apache.camel:camel-support:3.14.5 (*)
| | | \--- org.apache.camel:camel-attachments:3.14.5
| | | +--- org.apache.camel:camel-support:3.14.5 (*)
| | | \--- com.sun.activation:javax.activation:1.2.0
| | +--- org.apache.camel:camel-jetty-common:3.14.5
| | | +--- org.apache.camel:camel-cloud:3.14.5 (*)
| | | +--- org.apache.camel:camel-http-common:3.14.5 (*)
| | | \--- javax.servlet:javax.servlet-api:3.1.0 -> 4.0.1
| | +--- org.eclipse.jetty:jetty-server:9.4.46.v20220331
| | | +--- javax.servlet:javax.servlet-api:3.1.0 -> 4.0.1
| | | +--- org.eclipse.jetty:jetty-http:9.4.46.v20220331
| | | | +--- org.eclipse.jetty:jetty-util:9.4.46.v20220331
| | | | \--- org.eclipse.jetty:jetty-io:9.4.46.v20220331
| | | | \--- org.eclipse.jetty:jetty-util:9.4.46.v20220331
| | | \--- org.eclipse.jetty:jetty-io:9.4.46.v20220331 (*)
I tried to add this before or after,
implementation 'org.apache.camel.springboot:camel-jetty-starter:3.14.5'
implementation 'org.eclipse.jetty:jetty-http:11.0.11'
But eclipse will always give errror on unresolved dependency on jetty-http.
I put all the org.eclipse.jetty:jetty-xxx:9.4.48.v2022062 (hope this version stay no vulnerability). It's not xxx, what ever you see on your dependencies, you have to add it there like jetty-(io/server/servlet/serverts/etc). Take note of the serverlet/servlets too.
Actually, can you just put xxx instead of putting all the dependency listed, I tried it didn't work.

Confused with gradle select rule of dependency version

I have import dependency implementation group: "org.springframework.boot", name: "spring-boot-starter-jetty", version: "2.1.18.RELEASE" in project A. And here is dependency tree:
+--- org.springframework.boot:spring-boot-starter-jetty -> 2.1.18.RELEASE
| +--- org.eclipse.jetty:jetty-servlets:9.4.33.v20201020
| | +--- org.eclipse.jetty:jetty-continuation:9.4.33.v20201020
| | +--- org.eclipse.jetty:jetty-http:9.4.33.v20201020
| | | +--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | | \--- org.eclipse.jetty:jetty-io:9.4.33.v20201020
| | | \--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | +--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | \--- org.eclipse.jetty:jetty-io:9.4.33.v20201020 (*)
| +--- org.eclipse.jetty:jetty-webapp:9.4.33.v20201020
| | +--- org.eclipse.jetty:jetty-xml:9.4.33.v20201020
| | | \--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | \--- org.eclipse.jetty:jetty-servlet:9.4.33.v20201020
| | \--- org.eclipse.jetty:jetty-security:9.4.33.v20201020
| | \--- org.eclipse.jetty:jetty-server:9.4.33.v20201020 -> 9.4.48.v20220622
| | +--- javax.servlet:javax.servlet-api:3.1.0 -> 4.0.1
| | +--- org.eclipse.jetty:jetty-http:9.4.48.v20220622 -> 9.4.33.v20201020 (*)
| | \--- org.eclipse.jetty:jetty-io:9.4.48.v20220622 -> 9.4.33.v20201020 (*)
| +--- org.eclipse.jetty.websocket:websocket-server:9.4.33.v20201020
| | +--- org.eclipse.jetty.websocket:websocket-common:9.4.33.v20201020
| | | +--- org.eclipse.jetty.websocket:websocket-api:9.4.33.v20201020
| | | +--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | | \--- org.eclipse.jetty:jetty-io:9.4.33.v20201020 (*)
| | +--- org.eclipse.jetty.websocket:websocket-client:9.4.33.v20201020
| | | +--- org.eclipse.jetty:jetty-client:9.4.33.v20201020
| | | | +--- org.eclipse.jetty:jetty-http:9.4.33.v20201020 (*)
| | | | \--- org.eclipse.jetty:jetty-io:9.4.33.v20201020 (*)
| | | +--- org.eclipse.jetty:jetty-xml:9.4.33.v20201020 (*)
| | | +--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | | +--- org.eclipse.jetty:jetty-io:9.4.33.v20201020 (*)
| | | \--- org.eclipse.jetty.websocket:websocket-common:9.4.33.v20201020 (*)
| | +--- org.eclipse.jetty.websocket:websocket-servlet:9.4.33.v20201020
| | | +--- org.eclipse.jetty.websocket:websocket-api:9.4.33.v20201020
| | | \--- javax.servlet:javax.servlet-api:3.1.0 -> 4.0.1
| | +--- org.eclipse.jetty:jetty-servlet:9.4.33.v20201020 (*)
| | \--- org.eclipse.jetty:jetty-http:9.4.33.v20201020 (*)
| +--- org.eclipse.jetty.websocket:javax-websocket-server-impl:9.4.33.v20201020
| | +--- org.eclipse.jetty:jetty-annotations:9.4.33.v20201020
| | | +--- org.eclipse.jetty:jetty-plus:9.4.33.v20201020
| | | | \--- org.eclipse.jetty:jetty-webapp:9.4.33.v20201020 (*)
| | | +--- org.eclipse.jetty:jetty-webapp:9.4.33.v20201020 (*)
| | | +--- javax.annotation:javax.annotation-api:1.3.2
| | | +--- org.ow2.asm:asm:9.0
| | | \--- org.ow2.asm:asm-commons:9.0
| | | +--- org.ow2.asm:asm:9.0
| | | +--- org.ow2.asm:asm-tree:9.0
| | | | \--- org.ow2.asm:asm:9.0
| | | \--- org.ow2.asm:asm-analysis:9.0
| | | \--- org.ow2.asm:asm-tree:9.0 (*)
| | +--- org.eclipse.jetty.websocket:javax-websocket-client-impl:9.4.33.v20201020
| | | \--- org.eclipse.jetty.websocket:websocket-client:9.4.33.v20201020 (*)
| | +--- org.eclipse.jetty.websocket:websocket-server:9.4.33.v20201020 (*)
| | \--- javax.websocket:javax.websocket-api:1.0 -> 1.1
| \--- org.mortbay.jasper:apache-el:8.5.54
I can not understand why module jetty-server upgrade from 9.4.33.v20201020 to 9.4.48.v20220622,because other jetty module version remain at 9.4.33.v20201020
And I import dependency implementation group: "org.springframework.boot", name: "spring-boot-starter-jetty", version: "2.1.18.RELEASE" in another clean project B. And here is dependency tree:
All jetty module version is unified:9.4.45
Why does the same dependency implementation group: "org.springframework.boot", name: "spring-boot-starter-jetty", version: "2.1.18.RELEASE refer different version of module jetty
As you may know Gradle implementation acts transitively which means any dependencies bring its dependencies. Although your jetty-server version is 9.4.33.v20201020 but somehow spring-boot-starter-jetty is dependent on jetty-servlets:9.4.48.v20220622 so it's being brought. However, it's a little waired that your second screenshot shows version 9.4.45 because I myself test it with an isolated project and the version was 9.4.48. Anyway, you can inform the implementation to not act completely transitively and exclude some dependencies like blow:
implementation("org.springframework.boot:spring-boot-starter-jetty:2.1.18.RELEASE")
{
exclude group: "org.eclipse.jetty"
}
But if there is org.eclipse.jetty that spring-boot-starter-jetty is dependent on, you had to put it inside your build.gradle or exclude the malicious module specifically like blow:
implementation("org.springframework.boot:spring-boot-starter-jetty:2.1.18.RELEASE")
{
exclude group: "org.eclipse.jetty", module: "jetty-servlets"
}

How to resolve duplicated gradle Dependency issues

I have tried to test my code with robolectric. Problem is that it has duplicated References. e.g.
java.lang.RuntimeException: java.lang.RuntimeException: Duplicate class org.apache.maven.artifact.Artifact found in modules maven-ant-tasks-2.1.3.jar (org.apache.maven:maven-ant-tasks:2.1.3) and maven-artifact-2.2.1.jar (org.apache.maven:maven-artifact:2.2.1)
I have used the gradel artifact app:dependencies to get the following report. Here the important parts:
+--- org.robolectric:robolectric:4.3
| +--- org.robolectric:annotations:4.3
| +--- org.robolectric:junit:4.3
| | +--- org.robolectric:annotations:4.3
| | +--- org.robolectric:sandbox:4.3
| | | +--- org.robolectric:annotations:4.3
| | | +--- org.robolectric:utils:4.3
| | | | +--- org.robolectric:annotations:4.3
| | | | +--- org.robolectric:pluginapi:4.3
| | | | | +--- org.robolectric:annotations:4.3
| | | | | +--- org.apache.ant:ant:1.8.0
| | | | | | \--- org.apache.ant:ant-launcher:1.8.0
| | | | | \--- org.apache.maven:maven-ant-tasks:2.1.3
| | | | | +--- org.apache.ant:ant:1.8.0 (*)
| | | | | +--- classworlds:classworlds:1.1-alpha-2
| | | | | +--- org.codehaus.plexus:plexus-container-default:1.0-alpha-9-stable-1
| | | | | | +--- org.codehaus.plexus:plexus-utils:1.0.4 -> 1.5.15
| | | | | | \--- classworlds:classworlds:1.1-alpha-2
| | | | | +--- org.codehaus.plexus:plexus-utils:1.5.15
| | | | | +--- org.codehaus.plexus:plexus-interpolation:1.11
| | | | | +--- org.apache.maven:maven-artifact:2.2.1
| | | | | | \--- org.codehaus.plexus:plexus-utils:1.5.15
| | | | | +--- org.apache.maven:maven-artifact-manager:2.2.1
| | | | | | +--- org.apache.maven:maven-repository-metadata:2.2.1
| | | | | | | \--- org.codehaus.plexus:plexus-utils:1.5.15
| | | | | | +--- org.codehaus.plexus:plexus-utils:1.5.15
| | | | | | +--- org.apache.maven:maven-artifact:2.2.1 (*)
| | | | | | +--- org.codehaus.plexus:plexus-container-default:1.0-alpha-9-stable-1 (*)
| | | | | | +--- org.apache.maven.wagon:wagon-provider-api:1.0-beta-6
| | | | | | | \--- org.codehaus.plexus:plexus-utils:1.4.2 -> 1.5.15
| | | | | | \--- backport-util-concurrent:backport-util-concurrent:3.1
| | | | | +--- org.apache.maven:maven-model:2.2.1
| | | | | | \--- org.codehaus.plexus:plexus-utils:1.5.15
| | | | | +--- org.apache.maven:maven-project:2.2.1
| | | | | | +--- org.apache.maven:maven-settings:2.2.1
| | | | | | | +--- org.apache.maven:maven-model:2.2.1 (*)
| | | | | | | +--- org.codehaus.plexus:plexus-interpolation:1.11
| | | | | | | +--- org.codehaus.plexus:plexus-utils:1.5.15
| | | | | | | \--- org.codehaus.plexus:plexus-container-default:1.0-alpha-9-stable-1 (*)
| | | | | | +--- org.apache.maven:maven-profile:2.2.1
| | | | | | | +--- org.apache.maven:maven-model:2.2.1 (*)
| | | | | | | +--- org.codehaus.plexus:plexus-utils:1.5.15
| | | | | | | +--- org.codehaus.plexus:plexus-interpolation:1.11
| | | | | | | \--- org.codehaus.plexus:plexus-container-default:1.0-alpha-9-stable-1 (*)
| | | | | | +--- org.apache.maven:maven-model:2.2.1 (*)
| | | | | | +--- org.apache.maven:maven-artifact-manager:2.2.1 (*)
| | | | | | +--- org.apache.maven:maven-plugin-registry:2.2.1
| | | | | | | +--- org.codehaus.plexus:plexus-utils:1.5.15
| | | | | | | \--- org.codehaus.plexus:plexus-container-default:1.0-alpha-9-stable-1 (*)
| | | | | | +--- org.codehaus.plexus:plexus-interpolation:1.11
| | | | | | +--- org.codehaus.plexus:plexus-utils:1.5.15
| | | | | | +--- org.apache.maven:maven-artifact:2.2.1 (*)
| | | | | | \--- org.codehaus.plexus:plexus-container-default:1.0-alpha-9-stable-1 (*)
| | | | | +--- org.apache.maven:maven-error-diagnostics:2.2.1
| | | | | | \--- org.codehaus.plexus:plexus-container-default:1.0-alpha-9-stable-1 (*)
| | | | | +--- org.apache.maven:maven-settings:2.2.1 (*)
| | | | | +--- org.apache.maven.wagon:wagon-file:1.0-beta-6
| | | | | | \--- org.apache.maven.wagon:wagon-provider-api:1.0-beta-6 (*)
| | | | | +--- org.apache.maven.wagon:wagon-http-lightweight:1.0-beta-6
| | | | | | +--- org.apache.maven.wagon:wagon-http-shared:1.0-beta-6
| | | | | | | +--- nekohtml:xercesMinimal:1.9.6.2
| | | | | | | +--- nekohtml:nekohtml:1.9.6.2
| | | | | | | \--- org.apache.maven.wagon:wagon-provider-api:1.0-beta-6 (*)
| | | | | | \--- org.apache.maven.wagon:wagon-provider-api:1.0-beta-6 (*)
| | | | | \--- org.apache.maven.wagon:wagon-provider-api:1.0-beta-6 (*)
| | | | +--- org.robolectric:utils-reflector:4.3
| | | | | +--- org.ow2.asm:asm:7.0
| | | | | +--- org.ow2.asm:asm-commons:7.0
| | | | | | +--- org.ow2.asm:asm:7.0
| | | | | | +--- org.ow2.asm:asm-tree:7.0
| | | | | | | \--- org.ow2.asm:asm:7.0
| | | | | | \--- org.ow2.asm:asm-analysis:7.0
| | | | | | \--- org.ow2.asm:asm-tree:7.0 (*)
| | | | | \--- org.ow2.asm:asm-util:7.0
| | | | | +--- org.ow2.asm:asm:7.0
| | | | | +--- org.ow2.asm:asm-tree:7.0 (*)
| | | | | \--- org.ow2.asm:asm-analysis:7.0 (*)
| | | | +--- com.google.auto.service:auto-service:1.0-rc4
| | | | | +--- com.google.auto:auto-common:0.8
| | | | | | \--- com.google.guava:guava:19.0 -> 27.0.1-jre
| | | | | | +--- com.google.guava:failureaccess:1.0.1
| | | | | | +--- com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
| | | | | | +--- com.google.code.findbugs:jsr305:3.0.2
| | | | | | +--- org.checkerframework:checker-qual:2.5.2
| | | | | | +--- com.google.errorprone:error_prone_annotations:2.2.0
| | | | | | +--- com.google.j2objc:j2objc-annotations:1.1
| | | | | | \--- org.codehaus.mojo:animal-sniffer-annotations:1.17
| | | | | \--- com.google.guava:guava:23.5-jre -> 27.0.1-jre (*)
| | | | +--- javax.inject:javax.inject:1
| | | | \--- javax.annotation:javax.annotation-api:1.3.2
| | | +--- org.robolectric:shadowapi:4.3
| | | | \--- org.robolectric:annotations:4.3
| | | +--- org.robolectric:utils-reflector:4.3 (*)
| | | +--- javax.annotation:javax.annotation-api:1.3.2
| | | +--- javax.inject:javax.inject:1
| | | +--- org.ow2.asm:asm:7.0
| | | +--- org.ow2.asm:asm-commons:7.0 (*)
| | | \--- com.google.guava:guava:27.0.1-jre (*)
| | +--- org.robolectric:pluginapi:4.3 (*)
| | +--- org.robolectric:shadowapi:4.3 (*)
| | \--- org.robolectric:utils-reflector:4.3 (*)
| +--- org.robolectric:pluginapi:4.3 (*)
| +--- org.robolectric:resources:4.3
| | +--- org.robolectric:utils:4.3 (*)
| | +--- org.robolectric:annotations:4.3
| | +--- org.robolectric:pluginapi:4.3 (*)
| | \--- com.google.guava:guava:27.0.1-jre (*)
| +--- org.robolectric:sandbox:4.3 (*)
| +--- org.robolectric:utils:4.3 (*)
| +--- org.robolectric:utils-reflector:4.3 (*)
| +--- org.robolectric:plugins-maven-dependency-resolver:4.3
| | +--- org.robolectric:pluginapi:4.3 (*)
| | +--- org.robolectric:utils:4.3 (*)
| | +--- org.apache.ant:ant:1.8.0 (*)
| | \--- org.apache.maven:maven-ant-tasks:2.1.3 (*)
| +--- javax.inject:javax.inject:1
| +--- javax.annotation:javax.annotation-api:1.3.2
| +--- org.robolectric:shadows-framework:4.3
| | +--- org.robolectric:annotations:4.3
| | +--- org.robolectric:resources:4.3 (*)
| | +--- org.robolectric:pluginapi:4.3 (*)
| | +--- org.robolectric:shadowapi:4.3 (*)
| | +--- org.robolectric:utils:4.3 (*)
| | +--- org.robolectric:utils-reflector:4.3 (*)
| | +--- androidx.test:monitor:1.2.0 -> 1.3.0-alpha02 (*)
| | +--- com.almworks.sqlite4java:sqlite4java:0.282
| | +--- com.ibm.icu:icu4j:53.1
| | +--- com.google.android.apps.common.testing.accessibility.framework:accessibility-test-framework:2.1
| | | +--- org.hamcrest:hamcrest-core:1.3
| | | +--- org.hamcrest:hamcrest-library:1.3 (*)
| | | \--- com.google.protobuf:protobuf-java:2.6.1
| | \--- androidx.annotation:annotation:1.0.0
| +--- org.bouncycastle:bcprov-jdk15on:1.52
| \--- androidx.test:monitor:1.2.0 -> 1.3.0-alpha02 (*)
How to resolve the reference error? It seems to me that robolectric has the same class in diffrent dependencies?
I use the following build script:
apply plugin: 'com.android.application'
apply plugin: 'idea'
idea {
module {
downloadJavadoc = true
downloadSources = true
}
}
android {
compileSdkVersion 28
buildToolsVersion '28.0.3'
useLibrary 'org.apache.http.legacy'
useLibrary 'android.test.runner'
useLibrary 'android.test.base'
useLibrary 'android.test.mock'
defaultConfig {
applicationId "com.example.sampleapp"
minSdkVersion 16
targetSdkVersion 28
testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
}
testOptions {
unitTests {
includeAndroidResources = true
}
}
}
dependencies {
androidTestImplementation 'androidx.test:rules:1.2.0'
androidTestImplementation 'androidx.test:core:1.2.1-alpha02'
androidTestImplementation 'androidx.test.espresso:espresso-core:3.2.0'
androidTestImplementation 'org.robolectric:robolectric:4.3'
// Mail-Versand
implementation 'com.sun.mail:android-mail:1.6.2'
implementation 'com.sun.mail:android-activation:1.6.2'
implementation 'androidx.appcompat:appcompat:1.0.2'//
implementation 'com.github.woxthebox:draglistview:1.6.6'
}
How to fix that?
Issue on github is open: https://github.com/robolectric/robolectric/issues/5235
Finally get the test running. I've excluded all libs with duplicated classes:
testImplementation ("org.robolectric:robolectric:4.3"){
exclude group: 'org.apache.maven', module: 'maven-artifact'
exclude group: 'org.apache.maven', module: 'maven-artifact-manager'
exclude group: 'org.apache.maven', module: 'maven-model'
exclude group: 'org.apache.maven', module: 'maven-plugin-registry'
exclude group: 'org.apache.maven', module: 'maven-profile'
exclude group: 'org.apache.maven', module: 'maven-project'
exclude group: 'org.apache.maven', module: 'maven-settings'
exclude group: 'org.apache.maven', module: 'maven-error-diagnostics'
exclude group: "org.apache.maven.wagon"
}
Not all possibilities tested but a simple test worked already.
This probably could be written in more general way:
testImplementation ("org.robolectric:robolectric:4.3") {
exclude group "org.apache.maven.wagon"
exclude group "org.apache.maven"
}
or even:
testImplementation ("org.robolectric:robolectric:4.3") {
exclude group: "org.apache.maven", name: "maven-ant-tasks"
}
because it is maven-ant-tasks of pluginapi, which pulls in org.apache.maven dependencies.
I've encountered the same issue and the thing that helped me was that I had defined the Roboelectric dependency twice in Gradle file one with androidTestImplementation and the other with testImplementation so when I removed the first part problem solved!!!
The solution for me was to ensure that I was not requiring Robolectric in my androidTestImplementation dependencies.
Once I fixed that, I did not have any conflicts to fix.

How to list "compile" configuration's "provided" dependencies? I would like to download all of the dependencies

To list dependencies with gradle:
gradlew dependencies
This will show the all of the dependencies in your current projects configurations.
For example:
testCompile - Classpath for compiling the test sources.
+--- org.robolectric:shadows-support-v4:3.1.2
| +--- org.robolectric:robolectric:3.1.2
| | +--- org.robolectric:robolectric-annotations:3.1.2
| | +--- org.robolectric:robolectric-resources:3.1.2
| | | +--- org.robolectric:robolectric-utils:3.1.2
| | | | +--- org.ow2.asm:asm:5.0.1
| | | | +--- org.ow2.asm:asm-commons:5.0.1
| | | | | \--- org.ow2.asm:asm-tree:5.0.1
| | | | | \--- org.ow2.asm:asm:5.0.1
| | | | +--- org.robolectric:robolectric-annotations:3.1.2
| | | | \--- com.google.android.apps.common.testing.accessibility.framework:accessibility-test-framework:2.1
| | | | +--- org.hamcrest:hamcrest-core:1.3
| | | | +--- org.hamcrest:hamcrest-library:1.3
| | | | | \--- org.hamcrest:hamcrest-core:1.3
| | | | \--- com.google.protobuf:protobuf-java:2.6.1
| | | +--- org.robolectric:robolectric-annotations:3.1.2
| | | +--- com.ximpleware:vtd-xml:2.11
| | | \--- com.google.guava:guava:19.0
| | +--- org.robolectric:robolectric-utils:3.1.2 (*)
| | +--- org.ow2.asm:asm:5.0.1
| | +--- org.ow2.asm:asm-util:5.0.1
| | | \--- org.ow2.asm:asm-tree:5.0.1 (*)
| | +--- org.ow2.asm:asm-commons:5.0.1 (*)
| | +--- org.ow2.asm:asm-analysis:5.0.1
| | | \--- org.ow2.asm:asm-tree:5.0.1 (*)
| | +--- org.bouncycastle:bcprov-jdk16:1.46
| | +--- com.ximpleware:vtd-xml:2.11
| | +--- com.thoughtworks.xstream:xstream:1.4.8
| | | +--- xmlpull:xmlpull:1.1.3.1
| | | \--- xpp3:xpp3_min:1.1.4c
| | +--- org.apache.ant:ant:1.8.0
| | | \--- org.apache.ant:ant-launcher:1.8.0
| | +--- org.apache.maven:maven-ant-tasks:2.1.3
| | | +--- org.apache.ant:ant:1.8.0 (*)
| | | +--- classworlds:classworlds:1.1-alpha-2
| | | +--- org.codehaus.plexus:plexus-container-default:1.0-alpha-9-stable-1
| | | | +--- junit:junit:3.8.1 -> 4.12 (*)
| | | | +--- org.codehaus.plexus:plexus-utils:1.0.4 -> 1.5.15
| | | | \--- classworlds:classworlds:1.1-alpha-2
| | | +--- org.codehaus.plexus:plexus-utils:1.5.15
| | | +--- org.codehaus.plexus:plexus-interpolation:1.11
| | | +--- org.apache.maven:maven-artifact:2.2.1
| | | | \--- org.codehaus.plexus:plexus-utils:1.5.15
| | | +--- org.apache.maven:maven-artifact-manager:2.2.1
| | | | +--- org.apache.maven:maven-repository-metadata:2.2.1
| | | | | \--- org.codehaus.plexus:plexus-utils:1.5.15
| | | | +--- org.codehaus.plexus:plexus-utils:1.5.15
| | | | +--- org.apache.maven:maven-artifact:2.2.1 (*)
| | | | +--- org.codehaus.plexus:plexus-container-default:1.0-alpha-9-stable-1 (*)
| | | | +--- org.apache.maven.wagon:wagon-provider-api:1.0-beta-6
| | | | | \--- org.codehaus.plexus:plexus-utils:1.4.2 -> 1.5.15
| | | | \--- backport-util-concurrent:backport-util-concurrent:3.1
| | | +--- org.apache.maven:maven-model:2.2.1
| | | | \--- org.codehaus.plexus:plexus-utils:1.5.15
| | | +--- org.apache.maven:maven-project:2.2.1
| | | | +--- org.apache.maven:maven-settings:2.2.1
| | | | | +--- org.apache.maven:maven-model:2.2.1 (*)
| | | | | +--- org.codehaus.plexus:plexus-interpolation:1.11
| | | | | +--- org.codehaus.plexus:plexus-utils:1.5.15
| | | | | \--- org.codehaus.plexus:plexus-container-default:1.0-alpha-9-stable-1 (*)
| | | | +--- org.apache.maven:maven-profile:2.2.1
| | | | | +--- org.apache.maven:maven-model:2.2.1 (*)
| | | | | +--- org.codehaus.plexus:plexus-utils:1.5.15
| | | | | +--- org.codehaus.plexus:plexus-interpolation:1.11
| | | | | \--- org.codehaus.plexus:plexus-container-default:1.0-alpha-9-stable-1 (*)
| | | | +--- org.apache.maven:maven-model:2.2.1 (*)
| | | | +--- org.apache.maven:maven-artifact-manager:2.2.1 (*)
| | | | +--- org.apache.maven:maven-plugin-registry:2.2.1
| | | | | +--- org.codehaus.plexus:plexus-utils:1.5.15
| | | | | \--- org.codehaus.plexus:plexus-container-default:1.0-alpha-9-stable-1 (*)
| | | | +--- org.codehaus.plexus:plexus-interpolation:1.11
| | | | +--- org.codehaus.plexus:plexus-utils:1.5.15
| | | | +--- org.apache.maven:maven-artifact:2.2.1 (*)
| | | | \--- org.codehaus.plexus:plexus-container-default:1.0-alpha-9-stable-1 (*)
| | | +--- org.apache.maven:maven-error-diagnostics:2.2.1
| | | | \--- org.codehaus.plexus:plexus-container-default:1.0-alpha-9-stable-1 (*)
| | | +--- org.apache.maven:maven-settings:2.2.1 (*)
| | | +--- org.apache.maven.wagon:wagon-file:1.0-beta-6
| | | | \--- org.apache.maven.wagon:wagon-provider-api:1.0-beta-6 (*)
| | | +--- org.apache.maven.wagon:wagon-http-lightweight:1.0-beta-6
| | | | +--- org.apache.maven.wagon:wagon-http-shared:1.0-beta-6
| | | | | +--- nekohtml:xercesMinimal:1.9.6.2
| | | | | +--- nekohtml:nekohtml:1.9.6.2
| | | | | \--- org.apache.maven.wagon:wagon-provider-api:1.0-beta-6 (*)
| | | | \--- org.apache.maven.wagon:wagon-provider-api:1.0-beta-6 (*)
| | | \--- org.apache.maven.wagon:wagon-provider-api:1.0-beta-6 (*)
| | \--- org.robolectric:shadows-core-v23:3.1.2
| | +--- org.robolectric:robolectric-annotations:3.1.2
| | +--- org.robolectric:robolectric-resources:3.1.2 (*)
| | +--- org.robolectric:robolectric-utils:3.1.2 (*)
| | +--- com.almworks.sqlite4java:sqlite4java:0.282
| | \--- com.ibm.icu:icu4j:53.1
| \--- org.robolectric:shadows-core-v23:3.1.2 (*)
Notice, the shadows-support-v4 artifact brings in robolectric artifact which brings in the dependency: org.robolectric:shadows-core-v23:3.1.2.
If we go to the build.gradle file, we notice there are provided dependencies that are not brought in: https://github.com/robolectric/robolectric/blob/f68ba6bcb51fb25a28805a3c5f7ffcee2d9560d5/robolectric-shadows/shadows-core/build.gradle#L16.
Actual pom file: http://repo1.maven.org/maven2/org/robolectric/robolectric/3.1.2/robolectric-3.1.2.pom. Provided dependencies are not added to the POM but the runtime dependencies are.
How can I go deeper and list all of the dependencies of the dependencies including any provided dependencies?
I answered this here: https://github.com/robolectric/robolectric/issues/2646
For those that are still having this problem, download all the dependencies and transitive dependencies up front for your CI:
subprojects { project ->
task downloadDependencies(type: Copy) {
description "Downloads all dependencies."
group "build"
from {
// Use of closure defers evaluation until execution time
project.configurations
.findAll { configuration -> configuration.canBeResolved }
.collect { configuration -> configuration.resolvedConfiguration.lenientConfiguration.files }
}
into "$project.buildDir/dependencies"
}
}
Example:
Step 1: gradlew downloadDependencies
Step 2: gradlew assembleDebug testDebug

Gradle dependency tree, what does the (*) mean?

I am just wondering what does the (*) mean under the dependency tree for Gradle. I have been searching online and could not find any answers.
+--- org.apache.httpcomponents:httpclient:4.2.6 -> 4.5 (*)
| +--- org.apache.jena:apache-jena-libs:2.12.1
| | +--- org.apache.jena:jena-tdb:1.1.1
| | | +--- org.apache.jena:jena-arq:2.12.1
| | | | +--- org.apache.jena:jena-core:2.12.1
| | | | | +--- org.slf4j:slf4j-api:1.7.6 -> 1.7.10
| | | | | +--- org.apache.jena:jena-iri:1.1.1
| | | | | | +--- org.slf4j:slf4j-api:1.7.6 -> 1.7.10
| | | | | | \--- log4j:log4j:1.2.17
| | | | | +--- xerces:xercesImpl:2.11.0
| | | | | | \--- xml-apis:xml-apis:1.4.01
| | | | | \--- log4j:log4j:1.2.17
| | | | +--- org.apache.httpcomponents:httpclient:4.2.6 -> 4.5 (*)
| | | | +--- com.github.jsonld-java:jsonld-java:0.5.0
| | | | | +--- com.fasterxml.jackson.core:jackson-core:2.3.3 -> 2.5.1
| | | | | +--- com.fasterxml.jackson.core:jackson-databind:2.3.3 -> 2.5.1 (*)
| | | | | \--- org.slf4j:jcl-over-slf4j:1.7.7 -> 1.7.10 (*)
(*) - dependencies omitted (listed previously)
Should be displayed under your dependency tree.
The dependencies of the marked dependency are omitted for readability because they were already listed higher up in the dependency graph output.
Also,
(c) - dependency constraint
(n) - Not resolved
Dependencies with the same coordinates that can occur multiple times in the graph are omitted and indicated by an asterisk(*). Dependencies that had to undergo conflict resolution render the requested and selected version separated by a right arrow character(->).
gradle manual: https://docs.gradle.org/current/userguide/viewing_debugging_dependencies.html

Resources