How to find out why Gradle tries to use specific library version? - gradle

I'm new to using gradle and need some help with frustrating issue.
In the output of ./gradlew dependencies of my Spring Boot project I have a bunch of FAILED statements, for example:
+--- io.netty:netty-handler-proxy:4.1.75.Final FAILED
When I look up this library in my dependencies output, it has only following outputs related to this library:
+--- io.netty:netty-handler-proxy:{strictly 4.1.75.Final} -> 4.1.77.Final (c)
and
+--- io.projectreactor.netty:reactor-netty -> 1.0.19
| +--- io.projectreactor.netty:reactor-netty-core:1.0.19
| | +--- io.netty:netty-handler:4.1.77.Final
| | | +--- io.netty:netty-common:4.1.77.Final
| | | +--- io.netty:netty-resolver:4.1.77.Final
| | | | \--- io.netty:netty-common:4.1.77.Final
| | | +--- io.netty:netty-buffer:4.1.77.Final
| | | | \--- io.netty:netty-common:4.1.77.Final
| | | +--- io.netty:netty-transport:4.1.77.Final
| | | | +--- io.netty:netty-common:4.1.77.Final
| | | | +--- io.netty:netty-buffer:4.1.77.Final (*)
| | | | \--- io.netty:netty-resolver:4.1.77.Final (*)
| | | \--- io.netty:netty-codec:4.1.77.Final
| | | +--- io.netty:netty-common:4.1.77.Final
| | | +--- io.netty:netty-buffer:4.1.77.Final (*)
| | | \--- io.netty:netty-transport:4.1.77.Final (*)
| | +--- io.netty:netty-handler-proxy:4.1.77.Final
I'm trying to find out why Gradle is even trying to use the 4.1.75 library version. I don't declare this version explicitly in gradle.properties, but for some reason it is denoted as strictly.
I'm also wondering, how to find out what library beside io.projectreactor.netty:reactor-netty (requiring version 4.1.77) is using io.netty:netty-handler-proxy (apparently of version 4.1.75)
Could someone help me please?

Related

jetty-http issue on camel-jetty-starter

I got this vulnerability on my gradle.build,
jetty-http-9.4.46.v20220331.jar | Reference: CVE-2022-2047 | CVSS Score: 2.7 | Category: CWE-20 | In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
It's coming from this,
implementation 'org.apache.camel.springboot:camel-jetty-starter:3.14.5'
For when I check the gradle dependencies,
--- org.apache.camel.springboot:camel-jetty-starter:3.14.5
| +--- org.springframework.boot:spring-boot-starter:2.6.10 -> 2.7.0 (*)
| +--- org.apache.camel:camel-jetty:3.14.5
| | +--- org.apache.camel:camel-support:3.14.5 (*)
| | +--- org.apache.camel:camel-http-common:3.14.5
| | | +--- org.apache.camel:camel-http-base:3.14.5
| | | | \--- org.apache.camel:camel-support:3.14.5 (*)
| | | +--- org.apache.camel:camel-cloud:3.14.5 (*)
| | | +--- org.apache.camel:camel-support:3.14.5 (*)
| | | \--- org.apache.camel:camel-attachments:3.14.5
| | | +--- org.apache.camel:camel-support:3.14.5 (*)
| | | \--- com.sun.activation:javax.activation:1.2.0
| | +--- org.apache.camel:camel-jetty-common:3.14.5
| | | +--- org.apache.camel:camel-cloud:3.14.5 (*)
| | | +--- org.apache.camel:camel-http-common:3.14.5 (*)
| | | \--- javax.servlet:javax.servlet-api:3.1.0 -> 4.0.1
| | +--- org.eclipse.jetty:jetty-server:9.4.46.v20220331
| | | +--- javax.servlet:javax.servlet-api:3.1.0 -> 4.0.1
| | | +--- org.eclipse.jetty:jetty-http:9.4.46.v20220331
| | | | +--- org.eclipse.jetty:jetty-util:9.4.46.v20220331
| | | | \--- org.eclipse.jetty:jetty-io:9.4.46.v20220331
| | | | \--- org.eclipse.jetty:jetty-util:9.4.46.v20220331
| | | \--- org.eclipse.jetty:jetty-io:9.4.46.v20220331 (*)
I tried to add this before or after,
implementation 'org.apache.camel.springboot:camel-jetty-starter:3.14.5'
implementation 'org.eclipse.jetty:jetty-http:11.0.11'
But eclipse will always give errror on unresolved dependency on jetty-http.
I put all the org.eclipse.jetty:jetty-xxx:9.4.48.v2022062 (hope this version stay no vulnerability). It's not xxx, what ever you see on your dependencies, you have to add it there like jetty-(io/server/servlet/serverts/etc). Take note of the serverlet/servlets too.
Actually, can you just put xxx instead of putting all the dependency listed, I tried it didn't work.

Confused with gradle select rule of dependency version

I have import dependency implementation group: "org.springframework.boot", name: "spring-boot-starter-jetty", version: "2.1.18.RELEASE" in project A. And here is dependency tree:
+--- org.springframework.boot:spring-boot-starter-jetty -> 2.1.18.RELEASE
| +--- org.eclipse.jetty:jetty-servlets:9.4.33.v20201020
| | +--- org.eclipse.jetty:jetty-continuation:9.4.33.v20201020
| | +--- org.eclipse.jetty:jetty-http:9.4.33.v20201020
| | | +--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | | \--- org.eclipse.jetty:jetty-io:9.4.33.v20201020
| | | \--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | +--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | \--- org.eclipse.jetty:jetty-io:9.4.33.v20201020 (*)
| +--- org.eclipse.jetty:jetty-webapp:9.4.33.v20201020
| | +--- org.eclipse.jetty:jetty-xml:9.4.33.v20201020
| | | \--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | \--- org.eclipse.jetty:jetty-servlet:9.4.33.v20201020
| | \--- org.eclipse.jetty:jetty-security:9.4.33.v20201020
| | \--- org.eclipse.jetty:jetty-server:9.4.33.v20201020 -> 9.4.48.v20220622
| | +--- javax.servlet:javax.servlet-api:3.1.0 -> 4.0.1
| | +--- org.eclipse.jetty:jetty-http:9.4.48.v20220622 -> 9.4.33.v20201020 (*)
| | \--- org.eclipse.jetty:jetty-io:9.4.48.v20220622 -> 9.4.33.v20201020 (*)
| +--- org.eclipse.jetty.websocket:websocket-server:9.4.33.v20201020
| | +--- org.eclipse.jetty.websocket:websocket-common:9.4.33.v20201020
| | | +--- org.eclipse.jetty.websocket:websocket-api:9.4.33.v20201020
| | | +--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | | \--- org.eclipse.jetty:jetty-io:9.4.33.v20201020 (*)
| | +--- org.eclipse.jetty.websocket:websocket-client:9.4.33.v20201020
| | | +--- org.eclipse.jetty:jetty-client:9.4.33.v20201020
| | | | +--- org.eclipse.jetty:jetty-http:9.4.33.v20201020 (*)
| | | | \--- org.eclipse.jetty:jetty-io:9.4.33.v20201020 (*)
| | | +--- org.eclipse.jetty:jetty-xml:9.4.33.v20201020 (*)
| | | +--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | | +--- org.eclipse.jetty:jetty-io:9.4.33.v20201020 (*)
| | | \--- org.eclipse.jetty.websocket:websocket-common:9.4.33.v20201020 (*)
| | +--- org.eclipse.jetty.websocket:websocket-servlet:9.4.33.v20201020
| | | +--- org.eclipse.jetty.websocket:websocket-api:9.4.33.v20201020
| | | \--- javax.servlet:javax.servlet-api:3.1.0 -> 4.0.1
| | +--- org.eclipse.jetty:jetty-servlet:9.4.33.v20201020 (*)
| | \--- org.eclipse.jetty:jetty-http:9.4.33.v20201020 (*)
| +--- org.eclipse.jetty.websocket:javax-websocket-server-impl:9.4.33.v20201020
| | +--- org.eclipse.jetty:jetty-annotations:9.4.33.v20201020
| | | +--- org.eclipse.jetty:jetty-plus:9.4.33.v20201020
| | | | \--- org.eclipse.jetty:jetty-webapp:9.4.33.v20201020 (*)
| | | +--- org.eclipse.jetty:jetty-webapp:9.4.33.v20201020 (*)
| | | +--- javax.annotation:javax.annotation-api:1.3.2
| | | +--- org.ow2.asm:asm:9.0
| | | \--- org.ow2.asm:asm-commons:9.0
| | | +--- org.ow2.asm:asm:9.0
| | | +--- org.ow2.asm:asm-tree:9.0
| | | | \--- org.ow2.asm:asm:9.0
| | | \--- org.ow2.asm:asm-analysis:9.0
| | | \--- org.ow2.asm:asm-tree:9.0 (*)
| | +--- org.eclipse.jetty.websocket:javax-websocket-client-impl:9.4.33.v20201020
| | | \--- org.eclipse.jetty.websocket:websocket-client:9.4.33.v20201020 (*)
| | +--- org.eclipse.jetty.websocket:websocket-server:9.4.33.v20201020 (*)
| | \--- javax.websocket:javax.websocket-api:1.0 -> 1.1
| \--- org.mortbay.jasper:apache-el:8.5.54
I can not understand why module jetty-server upgrade from 9.4.33.v20201020 to 9.4.48.v20220622,because other jetty module version remain at 9.4.33.v20201020
And I import dependency implementation group: "org.springframework.boot", name: "spring-boot-starter-jetty", version: "2.1.18.RELEASE" in another clean project B. And here is dependency tree:
All jetty module version is unified:9.4.45
Why does the same dependency implementation group: "org.springframework.boot", name: "spring-boot-starter-jetty", version: "2.1.18.RELEASE refer different version of module jetty
As you may know Gradle implementation acts transitively which means any dependencies bring its dependencies. Although your jetty-server version is 9.4.33.v20201020 but somehow spring-boot-starter-jetty is dependent on jetty-servlets:9.4.48.v20220622 so it's being brought. However, it's a little waired that your second screenshot shows version 9.4.45 because I myself test it with an isolated project and the version was 9.4.48. Anyway, you can inform the implementation to not act completely transitively and exclude some dependencies like blow:
implementation("org.springframework.boot:spring-boot-starter-jetty:2.1.18.RELEASE")
{
exclude group: "org.eclipse.jetty"
}
But if there is org.eclipse.jetty that spring-boot-starter-jetty is dependent on, you had to put it inside your build.gradle or exclude the malicious module specifically like blow:
implementation("org.springframework.boot:spring-boot-starter-jetty:2.1.18.RELEASE")
{
exclude group: "org.eclipse.jetty", module: "jetty-servlets"
}

Spring Boot Application Returns 401 UnAuthorized on All Endpoints

In a very specific scenario outlined below, my Spring Boot application returns the following response for all endpoints:
/ $ curl http://localhost:8084/
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 401 UnAuthorized</title>
</head>
<body><h2>HTTP ERROR 401 UnAuthorized</h2>
<table>
<tr><th>URI:</th><td>/</td></tr>
<tr><th>STATUS:</th><td>401</td></tr>
<tr><th>MESSAGE:</th><td>UnAuthorized</td></tr>
<tr><th>SERVLET:</th><td>dispatcherServlet</td></tr>
</table>
</body>
</html>
/ $
I only get this response from the pod being spun up, when I attempt to use Telepresence to intercept a running Kubernetes pod (telepresence intercept my-service). This 401 response by the pod coming up causes the startup, liveness and readiness probes to fail, which causes Telepresence to never replace the pod with its traffic manager and redirect to my locally running instance.
Any ideas on what this error message means, and how to fix it? I'm not even sure that it's coming from Spring.
I do not have Spring Security on the classpath. Dependencies:
> Task :dependencies
------------------------------------------------------------
Root project 'foo'
------------------------------------------------------------
runtimeClasspath - Runtime classpath of source set 'main'.
+--- org.springframework.boot:spring-boot-devtools -> 2.6.8
| +--- org.springframework.boot:spring-boot:2.6.8
| | +--- org.springframework:spring-core:5.3.20
| | | \--- org.springframework:spring-jcl:5.3.20
| | \--- org.springframework:spring-context:5.3.20
| | +--- org.springframework:spring-aop:5.3.20
| | | +--- org.springframework:spring-beans:5.3.20
| | | | \--- org.springframework:spring-core:5.3.20 (*)
| | | \--- org.springframework:spring-core:5.3.20 (*)
| | +--- org.springframework:spring-beans:5.3.20 (*)
| | +--- org.springframework:spring-core:5.3.20 (*)
| | \--- org.springframework:spring-expression:5.3.20
| | \--- org.springframework:spring-core:5.3.20 (*)
| \--- org.springframework.boot:spring-boot-autoconfigure:2.6.8
| \--- org.springframework.boot:spring-boot:2.6.8 (*)
+--- org.springframework.boot:spring-boot-starter-actuator -> 2.6.8
| +--- org.springframework.boot:spring-boot-starter:2.6.8
| | +--- org.springframework.boot:spring-boot:2.6.8 (*)
| | +--- org.springframework.boot:spring-boot-autoconfigure:2.6.8 (*)
| | +--- org.springframework.boot:spring-boot-starter-logging:2.6.8
| | | +--- ch.qos.logback:logback-classic:1.2.11
| | | | +--- ch.qos.logback:logback-core:1.2.11
| | | | \--- org.slf4j:slf4j-api:1.7.32 -> 1.7.36
| | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.17.2
| | | | +--- org.slf4j:slf4j-api:1.7.35 -> 1.7.36
| | | | \--- org.apache.logging.log4j:log4j-api:2.17.2
| | | \--- org.slf4j:jul-to-slf4j:1.7.36
| | | \--- org.slf4j:slf4j-api:1.7.36
| | +--- jakarta.annotation:jakarta.annotation-api:1.3.5
| | +--- org.springframework:spring-core:5.3.20 (*)
| | \--- org.yaml:snakeyaml:1.29
| +--- org.springframework.boot:spring-boot-actuator-autoconfigure:2.6.8
| | +--- com.fasterxml.jackson.core:jackson-databind:2.13.3
| | | +--- com.fasterxml.jackson.core:jackson-annotations:2.13.3
| | | | \--- com.fasterxml.jackson:jackson-bom:2.13.3
| | | | +--- com.fasterxml.jackson.core:jackson-annotations:2.13.3 (c)
| | | | +--- com.fasterxml.jackson.core:jackson-core:2.13.3 (c)
| | | | +--- com.fasterxml.jackson.core:jackson-databind:2.13.3 (c)
| | | | +--- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.13.3 (c)
| | | | +--- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.13.3 (c)
| | | | \--- com.fasterxml.jackson.module:jackson-module-parameter-names:2.13.3 (c)
| | | +--- com.fasterxml.jackson.core:jackson-core:2.13.3
| | | | \--- com.fasterxml.jackson:jackson-bom:2.13.3 (*)
| | | \--- com.fasterxml.jackson:jackson-bom:2.13.3 (*)
| | +--- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.13.3
| | | +--- com.fasterxml.jackson.core:jackson-annotations:2.13.3 (*)
| | | +--- com.fasterxml.jackson.core:jackson-core:2.13.3 (*)
| | | +--- com.fasterxml.jackson.core:jackson-databind:2.13.3 (*)
| | | \--- com.fasterxml.jackson:jackson-bom:2.13.3 (*)
| | +--- org.springframework.boot:spring-boot-actuator:2.6.8
| | | \--- org.springframework.boot:spring-boot:2.6.8 (*)
| | +--- org.springframework.boot:spring-boot:2.6.8 (*)
| | \--- org.springframework.boot:spring-boot-autoconfigure:2.6.8 (*)
| \--- io.micrometer:micrometer-core:1.8.6
| +--- org.hdrhistogram:HdrHistogram:2.1.12
| \--- org.latencyutils:LatencyUtils:2.0.3
+--- org.springframework.boot:spring-boot-starter-data-jpa -> 2.6.8
| +--- org.springframework.boot:spring-boot-starter-aop:2.6.8
| | +--- org.springframework.boot:spring-boot-starter:2.6.8 (*)
| | +--- org.springframework:spring-aop:5.3.20 (*)
| | \--- org.aspectj:aspectjweaver:1.9.7
| +--- org.springframework.boot:spring-boot-starter-jdbc:2.6.8
| | +--- org.springframework.boot:spring-boot-starter:2.6.8 (*)
| | +--- com.zaxxer:HikariCP:4.0.3
| | | \--- org.slf4j:slf4j-api:1.7.30 -> 1.7.36
| | \--- org.springframework:spring-jdbc:5.3.20
| | +--- org.springframework:spring-beans:5.3.20 (*)
| | +--- org.springframework:spring-core:5.3.20 (*)
| | \--- org.springframework:spring-tx:5.3.20
| | +--- org.springframework:spring-beans:5.3.20 (*)
| | \--- org.springframework:spring-core:5.3.20 (*)
| +--- jakarta.transaction:jakarta.transaction-api:1.3.3
| +--- jakarta.persistence:jakarta.persistence-api:2.2.3
| +--- org.hibernate:hibernate-core:5.6.9.Final
| | +--- org.jboss.logging:jboss-logging:3.4.3.Final
| | +--- net.bytebuddy:byte-buddy:1.12.9 -> 1.11.22
| | +--- antlr:antlr:2.7.7
| | +--- org.jboss:jandex:2.4.2.Final
| | +--- com.fasterxml:classmate:1.5.1
| | +--- org.hibernate.common:hibernate-commons-annotations:5.1.2.Final
| | | \--- org.jboss.logging:jboss-logging:3.3.2.Final -> 3.4.3.Final
| | \--- org.glassfish.jaxb:jaxb-runtime:2.3.1 -> 2.3.6
| | +--- jakarta.xml.bind:jakarta.xml.bind-api:2.3.3
| | +--- org.glassfish.jaxb:txw2:2.3.6
| | +--- com.sun.istack:istack-commons-runtime:3.0.12
| | \--- com.sun.activation:jakarta.activation:1.2.2
| +--- org.springframework.data:spring-data-jpa:2.6.4
| | +--- org.springframework.data:spring-data-commons:2.6.4
| | | +--- org.springframework:spring-core:5.3.19 -> 5.3.20 (*)
| | | +--- org.springframework:spring-beans:5.3.19 -> 5.3.20 (*)
| | | \--- org.slf4j:slf4j-api:1.7.32 -> 1.7.36
| | +--- org.springframework:spring-orm:5.3.19 -> 5.3.20
| | | +--- org.springframework:spring-beans:5.3.20 (*)
| | | +--- org.springframework:spring-core:5.3.20 (*)
| | | +--- org.springframework:spring-jdbc:5.3.20 (*)
| | | \--- org.springframework:spring-tx:5.3.20 (*)
| | +--- org.springframework:spring-context:5.3.19 -> 5.3.20 (*)
| | +--- org.springframework:spring-aop:5.3.19 -> 5.3.20 (*)
| | +--- org.springframework:spring-tx:5.3.19 -> 5.3.20 (*)
| | +--- org.springframework:spring-beans:5.3.19 -> 5.3.20 (*)
| | +--- org.springframework:spring-core:5.3.19 -> 5.3.20 (*)
| | \--- org.slf4j:slf4j-api:1.7.32 -> 1.7.36
| \--- org.springframework:spring-aspects:5.3.20
| \--- org.aspectj:aspectjweaver:1.9.7
+--- org.springframework.boot:spring-boot-starter-web -> 2.6.8
| +--- org.springframework.boot:spring-boot-starter:2.6.8 (*)
| +--- org.springframework.boot:spring-boot-starter-json:2.6.8
| | +--- org.springframework.boot:spring-boot-starter:2.6.8 (*)
| | +--- org.springframework:spring-web:5.3.20
| | | +--- org.springframework:spring-beans:5.3.20 (*)
| | | \--- org.springframework:spring-core:5.3.20 (*)
| | +--- com.fasterxml.jackson.core:jackson-databind:2.13.3 (*)
| | +--- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.13.3
| | | +--- com.fasterxml.jackson.core:jackson-core:2.13.3 (*)
| | | +--- com.fasterxml.jackson.core:jackson-databind:2.13.3 (*)
| | | \--- com.fasterxml.jackson:jackson-bom:2.13.3 (*)
| | +--- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.13.3 (*)
| | \--- com.fasterxml.jackson.module:jackson-module-parameter-names:2.13.3
| | +--- com.fasterxml.jackson.core:jackson-core:2.13.3 (*)
| | +--- com.fasterxml.jackson.core:jackson-databind:2.13.3 (*)
| | \--- com.fasterxml.jackson:jackson-bom:2.13.3 (*)
| +--- org.springframework:spring-web:5.3.20 (*)
| \--- org.springframework:spring-webmvc:5.3.20
| +--- org.springframework:spring-aop:5.3.20 (*)
| +--- org.springframework:spring-beans:5.3.20 (*)
| +--- org.springframework:spring-context:5.3.20 (*)
| +--- org.springframework:spring-core:5.3.20 (*)
| +--- org.springframework:spring-expression:5.3.20 (*)
| \--- org.springframework:spring-web:5.3.20 (*)
+--- org.springframework.boot:spring-boot-starter-jetty -> 2.6.8
| +--- jakarta.servlet:jakarta.servlet-api:4.0.4
| +--- jakarta.websocket:jakarta.websocket-api:1.1.2
| +--- org.apache.tomcat.embed:tomcat-embed-el:9.0.63
| +--- org.eclipse.jetty:jetty-servlets:9.4.46.v20220331
| | +--- org.eclipse.jetty:jetty-continuation:9.4.46.v20220331
| | +--- org.eclipse.jetty:jetty-http:9.4.46.v20220331
| | | +--- org.eclipse.jetty:jetty-util:9.4.46.v20220331
| | | \--- org.eclipse.jetty:jetty-io:9.4.46.v20220331
| | | \--- org.eclipse.jetty:jetty-util:9.4.46.v20220331
| | +--- org.eclipse.jetty:jetty-util:9.4.46.v20220331
| | \--- org.eclipse.jetty:jetty-io:9.4.46.v20220331 (*)
| +--- org.eclipse.jetty:jetty-webapp:9.4.46.v20220331
| | +--- org.eclipse.jetty:jetty-xml:9.4.46.v20220331
| | | \--- org.eclipse.jetty:jetty-util:9.4.46.v20220331
| | \--- org.eclipse.jetty:jetty-servlet:9.4.46.v20220331
| | +--- org.eclipse.jetty:jetty-security:9.4.46.v20220331
| | | \--- org.eclipse.jetty:jetty-server:9.4.46.v20220331
| | | +--- org.eclipse.jetty:jetty-http:9.4.46.v20220331 (*)
| | | \--- org.eclipse.jetty:jetty-io:9.4.46.v20220331 (*)
| | \--- org.eclipse.jetty:jetty-util-ajax:9.4.46.v20220331
| | \--- org.eclipse.jetty:jetty-util:9.4.46.v20220331
| +--- org.eclipse.jetty.websocket:websocket-server:9.4.46.v20220331
| | +--- org.eclipse.jetty.websocket:websocket-common:9.4.46.v20220331
| | | +--- org.eclipse.jetty.websocket:websocket-api:9.4.46.v20220331
| | | +--- org.eclipse.jetty:jetty-util:9.4.46.v20220331
| | | \--- org.eclipse.jetty:jetty-io:9.4.46.v20220331 (*)
| | +--- org.eclipse.jetty.websocket:websocket-client:9.4.46.v20220331
| | | +--- org.eclipse.jetty:jetty-client:9.4.46.v20220331
| | | | +--- org.eclipse.jetty:jetty-http:9.4.46.v20220331 (*)
| | | | \--- org.eclipse.jetty:jetty-io:9.4.46.v20220331 (*)
| | | +--- org.eclipse.jetty:jetty-util:9.4.46.v20220331
| | | +--- org.eclipse.jetty:jetty-io:9.4.46.v20220331 (*)
| | | \--- org.eclipse.jetty.websocket:websocket-common:9.4.46.v20220331 (*)
| | +--- org.eclipse.jetty.websocket:websocket-servlet:9.4.46.v20220331
| | | \--- org.eclipse.jetty.websocket:websocket-api:9.4.46.v20220331
| | +--- org.eclipse.jetty:jetty-servlet:9.4.46.v20220331 (*)
| | \--- org.eclipse.jetty:jetty-http:9.4.46.v20220331 (*)
| \--- org.eclipse.jetty.websocket:javax-websocket-server-impl:9.4.46.v20220331
| +--- org.eclipse.jetty:jetty-annotations:9.4.46.v20220331
| | +--- org.eclipse.jetty:jetty-plus:9.4.46.v20220331
| | | \--- org.eclipse.jetty:jetty-webapp:9.4.46.v20220331 (*)
| | +--- org.eclipse.jetty:jetty-webapp:9.4.46.v20220331 (*)
| | +--- org.ow2.asm:asm:9.2
| | \--- org.ow2.asm:asm-commons:9.2
| | +--- org.ow2.asm:asm:9.2
| | +--- org.ow2.asm:asm-tree:9.2
| | | \--- org.ow2.asm:asm:9.2
| | \--- org.ow2.asm:asm-analysis:9.2
| | \--- org.ow2.asm:asm-tree:9.2 (*)
| +--- org.eclipse.jetty.websocket:javax-websocket-client-impl:9.4.46.v20220331
| | \--- org.eclipse.jetty.websocket:websocket-client:9.4.46.v20220331 (*)
| \--- org.eclipse.jetty.websocket:websocket-server:9.4.46.v20220331 (*)
+--- org.postgresql:postgresql -> 42.3.5
| \--- org.checkerframework:checker-qual:3.5.0 -> 3.8.0
+--- org.flywaydb:flyway-core -> 8.0.5
+--- org.apache.commons:commons-lang3:3.9
+--- javax.validation:validation-api:2.0.1.Final
+--- javax.annotation:javax.annotation-api:1.3.2
+--- com.google.guava:guava:30.1.1-jre
| +--- com.google.guava:failureaccess:1.0.1
| +--- com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
| +--- com.google.code.findbugs:jsr305:3.0.2
| +--- org.checkerframework:checker-qual:3.8.0
| +--- com.google.errorprone:error_prone_annotations:2.5.1
| \--- com.google.j2objc:j2objc-annotations:1.3
+--- io.swagger:swagger-annotations:1.6.3
+--- org.openapitools:jackson-databind-nullable:0.2.2
| \--- com.fasterxml.jackson.core:jackson-databind:2.12.2 -> 2.13.3 (*)
\--- io.springfox:springfox-core:3.0.0
+--- net.bytebuddy:byte-buddy:1.10.11 -> 1.11.22
+--- com.fasterxml:classmate:1.5.1
+--- org.slf4j:slf4j-api:1.7.25 -> 1.7.36
+--- org.springframework.plugin:spring-plugin-core:2.0.0.RELEASE
| +--- org.springframework:spring-beans:5.2.0.RELEASE -> 5.3.20 (*)
| +--- org.springframework:spring-context:5.2.0.RELEASE -> 5.3.20 (*)
| +--- org.springframework:spring-aop:5.2.0.RELEASE -> 5.3.20 (*)
| \--- org.slf4j:slf4j-api:1.7.25 -> 1.7.36
\--- org.springframework.plugin:spring-plugin-metadata:2.0.0.RELEASE
+--- org.springframework.plugin:spring-plugin-core:2.0.0.RELEASE (*)
\--- org.slf4j:slf4j-api:1.7.25 -> 1.7.36
(c) - dependency constraint
(*) - dependencies omitted (listed previously)
A web-based, searchable dependency report is available by adding the --scan option.
BUILD SUCCESSFUL in 1s
1 actionable task: 1 executed

Resolve gradle build script dependencies

How to check resolve dependencies of build gradle script. For example I have plugin1 and plugin2, how I can figure out what dependencies pull both of them, and each separately?
Is there any parameter to print out this info?
the latest gradle version comes with the buildEnvironment task that does exactly what you need. you can simply run
gradle buildEnvironment
You can use gradle dependencies to get the full list. If your only interesting in a specific module then you can use gradle app:dependencyInsight --dependency com.google.code.gson example for gson
All dependency example outputs are from the project: https://github.com/JBirdVegas/external_jbirdvegas_mGerrit
Here is an example output
$ gradle dependencies app:dependencies
------------------------------------------------------------
Root project
------------------------------------------------------------
No configurations
:app:dependencies
------------------------------------------------------------
Project :app
------------------------------------------------------------
_debugAndroidTestApk - ## Internal use, do not manually configure ##
\--- com.android.support:multidex-instrumentation:1.0.1
\--- com.android.support:multidex:1.0.1
_debugAndroidTestCompile - ## Internal use, do not manually configure ##
\--- com.android.support:multidex-instrumentation:1.0.1
\--- com.android.support:multidex:1.0.1
_releaseUnitTestApk - ## Internal use, do not manually configure ##
No dependencies
_releaseUnitTestCompile - ## Internal use, do not manually configure ##
No dependencies
androidJacocoAgent - The Jacoco agent to use to get coverage data.
\--- org.jacoco:org.jacoco.agent:0.7.4.201502262128
androidJacocoAnt - The Jacoco ant tasks to use to get execute Gradle tasks.
\--- org.jacoco:org.jacoco.ant:0.7.4.201502262128
+--- org.jacoco:org.jacoco.core:0.7.4.201502262128
| \--- org.ow2.asm:asm-debug-all:5.0.1
+--- org.jacoco:org.jacoco.report:0.7.4.201502262128
| +--- org.jacoco:org.jacoco.core:0.7.4.201502262128 (*)
| \--- org.ow2.asm:asm-debug-all:5.0.1
\--- org.jacoco:org.jacoco.agent:0.7.4.201502262128
androidTestApk - Classpath packaged with the compiled 'androidTest' classes.
No dependencies
androidTestCompile - Classpath for compiling the androidTest sources.
No dependencies
androidTestProvided - Classpath for only compiling the androidTest sources.
No dependencies
androidTestWearApp - Link to a wear app to embed for object 'androidTest'.
No dependencies
apk - Classpath packaged with the compiled 'main' classes.
No dependencies
archives - Configuration for archive artifacts.
No dependencies
checkstyle - The Checkstyle libraries to be used for this project.
Download https://repo1.maven.org/maven2/com/puppycrawl/tools/checkstyle/5.9/checkstyle-5.9.pom
\--- com.puppycrawl.tools:checkstyle:5.9
+--- antlr:antlr:2.7.7
+--- commons-beanutils:commons-beanutils-core:1.8.3
+--- commons-cli:commons-cli:1.2
\--- com.google.guava:guava-jdk5:14.0.1
compile - Classpath for compiling the main sources.
+--- com.jakewharton.hugo:hugo-annotations:1.2.1
+--- com.android.support:appcompat-v7:23.1.1
| \--- com.android.support:support-v4:23.1.1
| \--- com.android.support:support-annotations:23.1.1
+--- com.android.support:design:23.1.1
| +--- com.android.support:appcompat-v7:23.1.1 (*)
| +--- com.android.support:recyclerview-v7:23.1.1
| | +--- com.android.support:support-annotations:23.1.1
| | \--- com.android.support:support-v4:23.1.1 (*)
| \--- com.android.support:support-v4:23.1.1 (*)
+--- com.google.code.gson:gson:2.4
+--- com.mcxiaoke.volley:library:1.0.18
+--- com.nhaarman.listviewanimations:lib-core:3.1.0
+--- com.nhaarman.listviewanimations:lib-core-slh:3.1.0
+--- com.nineoldandroids:library:2.4.0
+--- de.greenrobot:eventbus:2.4.0
+--- joda-time:joda-time:2.7
+--- org.ajoberstar:gradle-git:1.1.0
| +--- org.ajoberstar:grgit:1.1.0
| | +--- org.eclipse.jgit:org.eclipse.jgit:3.7.0.201502260915-r
| | | +--- com.jcraft:jsch:0.1.50
| | | +--- com.googlecode.javaewah:JavaEWAH:0.7.9
| | | +--- org.apache.httpcomponents:httpclient:4.1.3
| | | | +--- org.apache.httpcomponents:httpcore:4.1.4
| | | | +--- commons-logging:commons-logging:1.1.1
| | | | \--- commons-codec:commons-codec:1.4
| | | \--- org.slf4j:slf4j-api:1.7.2 -> 1.7.7
| | +--- org.eclipse.jgit:org.eclipse.jgit.ui:3.7.0.201502260915-r
| | | \--- org.eclipse.jgit:org.eclipse.jgit:3.7.0.201502260915-r (*)
| | +--- com.jcraft:jsch.agentproxy.jsch:0.0.7
| | | +--- com.jcraft:jsch:0.1.49 -> 0.1.50
| | | \--- com.jcraft:jsch.agentproxy.core:0.0.7
| | +--- com.jcraft:jsch.agentproxy.pageant:0.0.7
| | | +--- com.jcraft:jsch.agentproxy.core:0.0.7
| | | +--- net.java.dev.jna:jna:3.4.0
| | | \--- net.java.dev.jna:platform:3.4.0
| | +--- com.jcraft:jsch.agentproxy.sshagent:0.0.7
| | | \--- com.jcraft:jsch.agentproxy.core:0.0.7
| | +--- com.jcraft:jsch.agentproxy.usocket-jna:0.0.7
| | | +--- com.jcraft:jsch.agentproxy.core:0.0.7
| | | +--- net.java.dev.jna:jna:3.4.0
| | | \--- net.java.dev.jna:platform:3.4.0
| | +--- com.jcraft:jsch.agentproxy.usocket-nc:0.0.7
| | | \--- com.jcraft:jsch.agentproxy.core:0.0.7
| | \--- org.slf4j:slf4j-api:1.7.7
| \--- com.github.zafarkhaja:java-semver:0.8.0
+--- se.emilsjolander:stickylistheaders:2.6.0
+--- com.github.dmytrodanylyk.android-process-button:library:1.0.3
+--- de.hdodenhof:circleimageview:1.2.2
+--- com.google.guava:guava:18.0
+--- org.apache.httpcomponents:httpclient-android:4.3.5.1
+--- com.android.support:multidex:1.0.1
+--- com.anupcowkur:reservoir:2.1
| +--- com.jakewharton:disklrucache:2.0.2
| +--- com.google.code.gson:gson:2.2.4 -> 2.4
| +--- commons-io:commons-io:2.4
| \--- io.reactivex:rxandroid:0.24.0
| \--- io.reactivex:rxjava:1.0.4
\--- com.mikepenz:materialdrawer:4.5.5
+--- com.android.support:recyclerview-v7:23.1.1 (*)
+--- com.mikepenz:materialize:0.5.1
+--- com.mikepenz:iconics-core:2.5.0
\--- com.android.support:support-annotations:23.1.1
debugApk - Classpath packaged with the compiled 'debug' classes.
No dependencies
debugCompile - Classpath for compiling the debug sources.
+--- com.jakewharton.hugo:hugo-runtime:1.2.1
| +--- com.jakewharton.hugo:hugo-annotations:1.2.1
| \--- org.aspectj:aspectjrt:1.8.5
\--- org.aspectj:aspectjrt:1.8.5
For an example of app:dependencyInsight for gson
$ gradle app:dependencyInsight --configuration compile --dependency com.google.code.gson
:app:dependencyInsight
com.google.code.gson:gson:2.4 (conflict resolution)
\--- compile
com.google.code.gson:gson:2.2.4 -> 2.4
\--- com.anupcowkur:reservoir:2.1
\--- compile
BUILD SUCCESSFUL
Total time: 1.018 secs
EDIT:
To get the build script dependencies I think you need a custom task... Something like this
task buildScriptDependencies(type: org.gradle.api.tasks.diagnostics.DependencyReportTask) {
configurations = project.buildscript.configurations
}
Then you can quickly get the build script dependencies from the command line:
$ gradle buildScriptDependencies
Configuration on demand is an incubating feature.
:buildSrc:compileJava UP-TO-DATE
:buildSrc:compileGroovy UP-TO-DATE
:buildSrc:processResources UP-TO-DATE
:buildSrc:classes UP-TO-DATE
:buildSrc:jar UP-TO-DATE
:buildSrc:assemble UP-TO-DATE
:buildSrc:compileTestJava UP-TO-DATE
:buildSrc:compileTestGroovy UP-TO-DATE
:buildSrc:processTestResources UP-TO-DATE
:buildSrc:testClasses UP-TO-DATE
:buildSrc:test UP-TO-DATE
:buildSrc:check UP-TO-DATE
:buildSrc:build UP-TO-DATE
versionCode: 2111073 versionName: 2.111.73
Applying signing plugin
Not signing release. keyStoreFile was not defined in private.creds
Adding git task
WARNING: Dependency org.apache.httpcomponents:httpclient:4.1.3 is ignored for debug as it may be conflicting with the internal version provided by Android.
In case of problem, please repackage it with jarjar to change the class packages
WARNING: Dependency org.apache.httpcomponents:httpclient:4.1.3 is ignored for release as it may be conflicting with the internal version provided by Android.
In case of problem, please repackage it with jarjar to change the class packages
Adding javadoc task
Adding style task
:buildScriptDependencies
------------------------------------------------------------
Root project
------------------------------------------------------------
classpath
+--- com.android.tools.build:gradle:1.5.0
| \--- com.android.tools.build:gradle-core:1.5.0
| +--- com.android.tools.build:builder:1.5.0
| | +--- com.android.tools.build:builder-model:1.5.0
| | | \--- com.android.tools:annotations:24.5.0
| | +--- com.android.tools.build:builder-test-api:1.5.0
| | | \--- com.android.tools.ddms:ddmlib:24.5.0
| | | +--- com.android.tools:common:24.5.0
| | | | +--- com.android.tools:annotations:24.5.0
| | | | \--- com.google.guava:guava:17.0
| | | \--- net.sf.kxml:kxml2:2.3.0
| | +--- com.android.tools.build:transform-api:1.5.0
| | | +--- com.android.tools:annotations:24.5.0
| | | \--- com.google.guava:guava:17.0
| | +--- com.android.tools:sdklib:24.5.0
| | | +--- com.android.tools.layoutlib:layoutlib-api:24.5.0
| | | | +--- com.android.tools:common:24.5.0 (*)
| | | | +--- net.sf.kxml:kxml2:2.3.0
| | | | +--- com.android.tools:annotations:24.5.0
| | | | \--- com.intellij:annotations:12.0
| | | +--- com.android.tools:dvlib:24.5.0
| | | | \--- com.android.tools:common:24.5.0 (*)
| | | +--- com.google.code.gson:gson:2.2.4
| | | +--- org.apache.commons:commons-compress:1.8.1
| | | +--- org.apache.httpcomponents:httpclient:4.1.1
| | | | +--- org.apache.httpcomponents:httpcore:4.1
| | | | +--- commons-logging:commons-logging:1.1.1
| | | | \--- commons-codec:commons-codec:1.4
| | | \--- org.apache.httpcomponents:httpmime:4.1
| | | +--- org.apache.httpcomponents:httpcore:4.1
| | | \--- commons-logging:commons-logging:1.1.1
| | +--- com.android.tools:sdk-common:24.5.0
| | | +--- com.android.tools:sdklib:24.5.0 (*)
| | | +--- com.android.tools.build:builder-test-api:1.5.0 (*)
| | | \--- com.android.tools.build:builder-model:1.5.0 (*)
| | +--- com.android.tools:common:24.5.0 (*)
| | +--- com.android.tools.build:manifest-merger:24.5.0
| | | +--- com.android.tools:common:24.5.0 (*)
| | | +--- com.android.tools:sdklib:24.5.0 (*)
| | | +--- com.android.tools:sdk-common:24.5.0 (*)
| | | +--- net.sf.kxml:kxml2:2.3.0
| | | \--- com.google.code.gson:gson:2.2.4
| | +--- com.android.tools.ddms:ddmlib:24.5.0 (*)
| | +--- com.android.tools.jack:jack-api:0.9.0
| | +--- com.android.tools.jill:jill-api:0.9.0
| | +--- com.squareup:javawriter:2.5.0
| | +--- org.bouncycastle:bcpkix-jdk15on:1.48
| | | \--- org.bouncycastle:bcprov-jdk15on:1.48
| | +--- org.bouncycastle:bcprov-jdk15on:1.48
| | +--- org.ow2.asm:asm:5.0.3
| | +--- org.ow2.asm:asm-tree:5.0.3
| | | \--- org.ow2.asm:asm:5.0.3
| | +--- org.antlr:antlr-runtime:3.5.2
| | \--- org.antlr:antlr:3.5.2
| | +--- org.antlr:antlr-runtime:3.5.2
| | \--- org.antlr:ST4:4.0.8
| | \--- org.antlr:antlr-runtime:3.5.2
| +--- com.android.tools.lint:lint:24.5.0
| | +--- com.android.tools.lint:lint-checks:24.5.0
| | | +--- com.android.tools.lint:lint-api:24.5.0
| | | | +--- com.android.tools:sdk-common:24.5.0 (*)
| | | | +--- com.android.tools.build:builder-model:1.5.0 (*)
| | | | +--- com.android.tools.external.lombok:lombok-ast:0.2.3
| | | | | \--- com.google.guava:guava:17.0
| | | | +--- org.ow2.asm:asm:5.0.3
| | | | \--- org.ow2.asm:asm-tree:5.0.3 (*)
| | | \--- org.ow2.asm:asm-analysis:5.0.3
| | | \--- org.ow2.asm:asm-tree:5.0.3 (*)
| | \--- org.eclipse.jdt.core.compiler:ecj:4.4.2
| +--- com.android.tools.build:transform-api:1.5.0 (*)
| +--- com.android.databinding:compilerCommon:1.0-rc5
| | +--- com.android.databinding:baseLibrary:1.0-rc5
| | +--- org.apache.commons:commons-lang3:3.3.2
| | +--- com.tunnelvisionlabs:antlr4:4.5
| | | +--- com.tunnelvisionlabs:antlr4-runtime:4.5
| | | | +--- org.abego.treelayout:org.abego.treelayout.core:1.0.1
| | | | \--- com.tunnelvisionlabs:antlr4-annotations:4.5
| | | +--- com.tunnelvisionlabs:antlr4-annotations:4.5
| | | +--- org.antlr:antlr-runtime:3.5.2
| | | \--- org.antlr:ST4:4.0.8 (*)
| | +--- commons-io:commons-io:2.4
| | \--- com.googlecode.juniversalchardet:juniversalchardet:1.0.3
| +--- net.sf.proguard:proguard-gradle:5.2.1
| | \--- net.sf.proguard:proguard-base:5.2.1
| \--- org.jacoco:org.jacoco.core:0.7.4.201502262128
| \--- org.ow2.asm:asm-debug-all:5.0.1
\--- com.gradle:build-receipt-plugin:1.0
(*) - dependencies omitted (listed previously)
BUILD SUCCESSFUL
Total time: 0.961 secs

Where can I find the document for `(*)` and `1.7.6 -> 1.7.7` in the output of `gradle dependencies`

For a gradle project with simple build.gradle file:
apply plugin: 'java'
repositories.jcenter()
dependencies {
compile "org.springframework.boot:spring-boot-starter-web:1.1.5.RELEASE"
compile 'org.slf4j:slf4j-api:1.7.1'
}
When I run gradle dependencies, it will show:
:dependencies
------------------------------------------------------------
Root project
------------------------------------------------------------
archives - Configuration for archive artifacts.
No dependencies
compile - Compile classpath for source set 'main'.
+--- org.springframework.boot:spring-boot-starter-web:1.1.5.RELEASE
| +--- org.springframework.boot:spring-boot-starter:1.1.5.RELEASE
| | +--- org.springframework.boot:spring-boot:1.1.5.RELEASE
| | | +--- org.springframework:spring-core:4.0.6.RELEASE
| | | | \--- commons-logging:commons-logging:1.1.3
| | | \--- org.springframework:spring-context:4.0.6.RELEASE
| | | +--- org.springframework:spring-aop:4.0.6.RELEASE
| | | | +--- aopalliance:aopalliance:1.0
| | | | +--- org.springframework:spring-beans:4.0.6.RELEASE
| | | | | \--- org.springframework:spring-core:4.0.6.RELEASE (*)
| | | | \--- org.springframework:spring-core:4.0.6.RELEASE (*)
| | | +--- org.springframework:spring-beans:4.0.6.RELEASE (*)
| | | +--- org.springframework:spring-core:4.0.6.RELEASE (*)
| | | \--- org.springframework:spring-expression:4.0.6.RELEASE
| | | \--- org.springframework:spring-core:4.0.6.RELEASE (*)
| | +--- org.springframework.boot:spring-boot-autoconfigure:1.1.5.RELEASE
| | | \--- org.springframework.boot:spring-boot:1.1.5.RELEASE (*)
| | +--- org.springframework.boot:spring-boot-starter-logging:1.1.5.RELEASE
| | | +--- org.slf4j:jcl-over-slf4j:1.7.7
| | | | \--- org.slf4j:slf4j-api:1.7.7
| | | +--- org.slf4j:jul-to-slf4j:1.7.7
| | | | \--- org.slf4j:slf4j-api:1.7.7
| | | +--- org.slf4j:log4j-over-slf4j:1.7.7
| | | | \--- org.slf4j:slf4j-api:1.7.7
| | | \--- ch.qos.logback:logback-classic:1.1.2
| | | +--- ch.qos.logback:logback-core:1.1.2
| | | \--- org.slf4j:slf4j-api:1.7.6 -> 1.7.7
| | +--- org.springframework:spring-core:4.0.6.RELEASE (*)
| | \--- org.yaml:snakeyaml:1.13
| +--- org.springframework.boot:spring-boot-starter-tomcat:1.1.5.RELEASE
| | +--- org.apache.tomcat.embed:tomcat-embed-core:7.0.54
| | +--- org.apache.tomcat.embed:tomcat-embed-el:7.0.54
| | \--- org.apache.tomcat.embed:tomcat-embed-logging-juli:7.0.54
| +--- com.fasterxml.jackson.core:jackson-databind:2.3.3
| | +--- com.fasterxml.jackson.core:jackson-annotations:2.3.0
| | \--- com.fasterxml.jackson.core:jackson-core:2.3.3
| +--- org.hibernate:hibernate-validator:5.0.3.Final
| | +--- javax.validation:validation-api:1.1.0.Final
| | +--- org.jboss.logging:jboss-logging:3.1.1.GA
| | \--- com.fasterxml:classmate:1.0.0
| +--- org.springframework:spring-core:4.0.6.RELEASE (*)
| +--- org.springframework:spring-web:4.0.6.RELEASE
| | +--- org.springframework:spring-aop:4.0.6.RELEASE (*)
| | +--- org.springframework:spring-beans:4.0.6.RELEASE (*)
| | +--- org.springframework:spring-context:4.0.6.RELEASE (*)
| | \--- org.springframework:spring-core:4.0.6.RELEASE (*)
| \--- org.springframework:spring-webmvc:4.0.6.RELEASE
| +--- org.springframework:spring-beans:4.0.6.RELEASE (*)
| +--- org.springframework:spring-context:4.0.6.RELEASE (*)
| +--- org.springframework:spring-core:4.0.6.RELEASE (*)
| +--- org.springframework:spring-expression:4.0.6.RELEASE (*)
| \--- org.springframework:spring-web:4.0.6.RELEASE (*)
\--- org.slf4j:slf4j-api:1.7.1 -> 1.7.7
There are two things I'm not very sure, although I've read some articles:
(*) means this dependency is already present and download in previous steps
1.7.1 -> 1.7.7 this dependency is declared as 1.7.1, but gradle decide to use 1.7.7 after conflict resolution
Not sure if my understanding correct, how can I find some official document to explain them? I searched the gradle website, but not find yet
While not an official documentation, I found the following in gradle dependency-resolution-reporting.md design-doc:
avoid regression of current features:
subtree is omitted (*)
Note, however, that this design-doc was changed on April 2 (see change here) as part of the work on the release of v2.5 and this comment was removed from this document.

Resources