Gradle dependency tree, what does the (*) mean? - gradle

I am just wondering what does the (*) mean under the dependency tree for Gradle. I have been searching online and could not find any answers.
+--- org.apache.httpcomponents:httpclient:4.2.6 -> 4.5 (*)
| +--- org.apache.jena:apache-jena-libs:2.12.1
| | +--- org.apache.jena:jena-tdb:1.1.1
| | | +--- org.apache.jena:jena-arq:2.12.1
| | | | +--- org.apache.jena:jena-core:2.12.1
| | | | | +--- org.slf4j:slf4j-api:1.7.6 -> 1.7.10
| | | | | +--- org.apache.jena:jena-iri:1.1.1
| | | | | | +--- org.slf4j:slf4j-api:1.7.6 -> 1.7.10
| | | | | | \--- log4j:log4j:1.2.17
| | | | | +--- xerces:xercesImpl:2.11.0
| | | | | | \--- xml-apis:xml-apis:1.4.01
| | | | | \--- log4j:log4j:1.2.17
| | | | +--- org.apache.httpcomponents:httpclient:4.2.6 -> 4.5 (*)
| | | | +--- com.github.jsonld-java:jsonld-java:0.5.0
| | | | | +--- com.fasterxml.jackson.core:jackson-core:2.3.3 -> 2.5.1
| | | | | +--- com.fasterxml.jackson.core:jackson-databind:2.3.3 -> 2.5.1 (*)
| | | | | \--- org.slf4j:jcl-over-slf4j:1.7.7 -> 1.7.10 (*)


(*) - dependencies omitted (listed previously)
Should be displayed under your dependency tree.
The dependencies of the marked dependency are omitted for readability because they were already listed higher up in the dependency graph output.
Also,
(c) - dependency constraint
(n) - Not resolved


Dependencies with the same coordinates that can occur multiple times in the graph are omitted and indicated by an asterisk(*). Dependencies that had to undergo conflict resolution render the requested and selected version separated by a right arrow character(->).
gradle manual: https://docs.gradle.org/current/userguide/viewing_debugging_dependencies.html

Related

Java Project Dependency clarification

I have Gradle project A which has another dependency module B (maven).
In Gradle project A dependency tree I can see below
+--- org.seleniumhq.selenium:selenium-api:3.141.59 -> 4.1.4
| | | +--- org.seleniumhq.selenium:selenium-chrome-driver:3.141.59 -> 4.1.4 (*)
| | | +--- org.seleniumhq.selenium:selenium-edge-driver:3.141.59 -> 4.1.4 (*)
I have few questions here:
So with above dep tree (i.e. 3.141.59 -> 4.1.4 (*) ), which version is the used one? I know (*) - dependencies omitted (listed previously)
If the used one here is 3.141.59, how should I use 4.1.4 instead?
Note : I can see in maven module B version is having 3.141.59.
Dep tree doesn't show clearly where does 4.1.4 version come from. As per the below tree snippets it comes under org.seleniumhq.selenium:selenium-server:3.141.59
:
| +--- org.seleniumhq.selenium:selenium-server:3.141.59
| | | +--- org.seleniumhq.selenium:selenium-java:3.141.59 -> 4.1.4
| | | | +--- org.seleniumhq.selenium:selenium-api:4.1.4
| | | | +--- org.seleniumhq.selenium:selenium-chrome-driver:4.1.4
| | | | | +--- com.google.auto.service:auto-service-annotations:1.0.1
| | | | | +--- com.google.auto.service:auto-service:1.0.1
| | | | | | +--- com.google.auto.service:auto-service-annotations:1.0.1
| | | | | | +--- com.google.auto:auto-common:1.2
| | | | | | | \--- com.google.guava:guava:31.0.1-jre -> 31.1-jre (*)
| | | | | | \--- com.google.guava:guava:31.0.1-jre -> 31.1-jre (*)
| | | | | +--- com.google.guava:guava:31.1-jre (*)
| | | | | +--- org.seleniumhq.selenium:selenium-api:4.1.4
| | | | | +--- org.seleniumhq.selenium:selenium-chromium-driver:4.1.4
| | | | | | +--- com.google.auto.service:auto-service-annotations:1.0.1
| | | | | | +--- com.google.auto.service:auto-service:1.0.1 (*)
| | | | | | +--- com.google.guava:guava:31.1-jre (*)
| | | | | | +--- org.seleniumhq.selenium:selenium-json:4.1.4
| | | | | | | \--- org.seleniumhq.selenium:selenium-api:4.1.4
| | | | | | \--- org.seleniumhq.selenium:selenium-remote-driver:4.1.4
In the dep tree what's the difference between
org.seleniumhq.selenium:selenium-java:3.141.59 -> 4.1.4
and
org.seleniumhq.selenium:selenium-java:3.141.59 -> 4.1.4 (*)

jetty-http issue on camel-jetty-starter

I got this vulnerability on my gradle.build,
jetty-http-9.4.46.v20220331.jar | Reference: CVE-2022-2047 | CVSS Score: 2.7 | Category: CWE-20 | In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
It's coming from this,
implementation 'org.apache.camel.springboot:camel-jetty-starter:3.14.5'
For when I check the gradle dependencies,
--- org.apache.camel.springboot:camel-jetty-starter:3.14.5
| +--- org.springframework.boot:spring-boot-starter:2.6.10 -> 2.7.0 (*)
| +--- org.apache.camel:camel-jetty:3.14.5
| | +--- org.apache.camel:camel-support:3.14.5 (*)
| | +--- org.apache.camel:camel-http-common:3.14.5
| | | +--- org.apache.camel:camel-http-base:3.14.5
| | | | \--- org.apache.camel:camel-support:3.14.5 (*)
| | | +--- org.apache.camel:camel-cloud:3.14.5 (*)
| | | +--- org.apache.camel:camel-support:3.14.5 (*)
| | | \--- org.apache.camel:camel-attachments:3.14.5
| | | +--- org.apache.camel:camel-support:3.14.5 (*)
| | | \--- com.sun.activation:javax.activation:1.2.0
| | +--- org.apache.camel:camel-jetty-common:3.14.5
| | | +--- org.apache.camel:camel-cloud:3.14.5 (*)
| | | +--- org.apache.camel:camel-http-common:3.14.5 (*)
| | | \--- javax.servlet:javax.servlet-api:3.1.0 -> 4.0.1
| | +--- org.eclipse.jetty:jetty-server:9.4.46.v20220331
| | | +--- javax.servlet:javax.servlet-api:3.1.0 -> 4.0.1
| | | +--- org.eclipse.jetty:jetty-http:9.4.46.v20220331
| | | | +--- org.eclipse.jetty:jetty-util:9.4.46.v20220331
| | | | \--- org.eclipse.jetty:jetty-io:9.4.46.v20220331
| | | | \--- org.eclipse.jetty:jetty-util:9.4.46.v20220331
| | | \--- org.eclipse.jetty:jetty-io:9.4.46.v20220331 (*)
I tried to add this before or after,
implementation 'org.apache.camel.springboot:camel-jetty-starter:3.14.5'
implementation 'org.eclipse.jetty:jetty-http:11.0.11'
But eclipse will always give errror on unresolved dependency on jetty-http.

I put all the org.eclipse.jetty:jetty-xxx:9.4.48.v2022062 (hope this version stay no vulnerability). It's not xxx, what ever you see on your dependencies, you have to add it there like jetty-(io/server/servlet/serverts/etc). Take note of the serverlet/servlets too.
Actually, can you just put xxx instead of putting all the dependency listed, I tried it didn't work.

Confused with gradle select rule of dependency version

I have import dependency implementation group: "org.springframework.boot", name: "spring-boot-starter-jetty", version: "2.1.18.RELEASE" in project A. And here is dependency tree:
+--- org.springframework.boot:spring-boot-starter-jetty -> 2.1.18.RELEASE
| +--- org.eclipse.jetty:jetty-servlets:9.4.33.v20201020
| | +--- org.eclipse.jetty:jetty-continuation:9.4.33.v20201020
| | +--- org.eclipse.jetty:jetty-http:9.4.33.v20201020
| | | +--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | | \--- org.eclipse.jetty:jetty-io:9.4.33.v20201020
| | | \--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | +--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | \--- org.eclipse.jetty:jetty-io:9.4.33.v20201020 (*)
| +--- org.eclipse.jetty:jetty-webapp:9.4.33.v20201020
| | +--- org.eclipse.jetty:jetty-xml:9.4.33.v20201020
| | | \--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | \--- org.eclipse.jetty:jetty-servlet:9.4.33.v20201020
| | \--- org.eclipse.jetty:jetty-security:9.4.33.v20201020
| | \--- org.eclipse.jetty:jetty-server:9.4.33.v20201020 -> 9.4.48.v20220622
| | +--- javax.servlet:javax.servlet-api:3.1.0 -> 4.0.1
| | +--- org.eclipse.jetty:jetty-http:9.4.48.v20220622 -> 9.4.33.v20201020 (*)
| | \--- org.eclipse.jetty:jetty-io:9.4.48.v20220622 -> 9.4.33.v20201020 (*)
| +--- org.eclipse.jetty.websocket:websocket-server:9.4.33.v20201020
| | +--- org.eclipse.jetty.websocket:websocket-common:9.4.33.v20201020
| | | +--- org.eclipse.jetty.websocket:websocket-api:9.4.33.v20201020
| | | +--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | | \--- org.eclipse.jetty:jetty-io:9.4.33.v20201020 (*)
| | +--- org.eclipse.jetty.websocket:websocket-client:9.4.33.v20201020
| | | +--- org.eclipse.jetty:jetty-client:9.4.33.v20201020
| | | | +--- org.eclipse.jetty:jetty-http:9.4.33.v20201020 (*)
| | | | \--- org.eclipse.jetty:jetty-io:9.4.33.v20201020 (*)
| | | +--- org.eclipse.jetty:jetty-xml:9.4.33.v20201020 (*)
| | | +--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | | +--- org.eclipse.jetty:jetty-io:9.4.33.v20201020 (*)
| | | \--- org.eclipse.jetty.websocket:websocket-common:9.4.33.v20201020 (*)
| | +--- org.eclipse.jetty.websocket:websocket-servlet:9.4.33.v20201020
| | | +--- org.eclipse.jetty.websocket:websocket-api:9.4.33.v20201020
| | | \--- javax.servlet:javax.servlet-api:3.1.0 -> 4.0.1
| | +--- org.eclipse.jetty:jetty-servlet:9.4.33.v20201020 (*)
| | \--- org.eclipse.jetty:jetty-http:9.4.33.v20201020 (*)
| +--- org.eclipse.jetty.websocket:javax-websocket-server-impl:9.4.33.v20201020
| | +--- org.eclipse.jetty:jetty-annotations:9.4.33.v20201020
| | | +--- org.eclipse.jetty:jetty-plus:9.4.33.v20201020
| | | | \--- org.eclipse.jetty:jetty-webapp:9.4.33.v20201020 (*)
| | | +--- org.eclipse.jetty:jetty-webapp:9.4.33.v20201020 (*)
| | | +--- javax.annotation:javax.annotation-api:1.3.2
| | | +--- org.ow2.asm:asm:9.0
| | | \--- org.ow2.asm:asm-commons:9.0
| | | +--- org.ow2.asm:asm:9.0
| | | +--- org.ow2.asm:asm-tree:9.0
| | | | \--- org.ow2.asm:asm:9.0
| | | \--- org.ow2.asm:asm-analysis:9.0
| | | \--- org.ow2.asm:asm-tree:9.0 (*)
| | +--- org.eclipse.jetty.websocket:javax-websocket-client-impl:9.4.33.v20201020
| | | \--- org.eclipse.jetty.websocket:websocket-client:9.4.33.v20201020 (*)
| | +--- org.eclipse.jetty.websocket:websocket-server:9.4.33.v20201020 (*)
| | \--- javax.websocket:javax.websocket-api:1.0 -> 1.1
| \--- org.mortbay.jasper:apache-el:8.5.54
I can not understand why module jetty-server upgrade from 9.4.33.v20201020 to 9.4.48.v20220622,because other jetty module version remain at 9.4.33.v20201020
And I import dependency implementation group: "org.springframework.boot", name: "spring-boot-starter-jetty", version: "2.1.18.RELEASE" in another clean project B. And here is dependency tree:
All jetty module version is unified:9.4.45
Why does the same dependency implementation group: "org.springframework.boot", name: "spring-boot-starter-jetty", version: "2.1.18.RELEASE refer different version of module jetty

As you may know Gradle implementation acts transitively which means any dependencies bring its dependencies. Although your jetty-server version is 9.4.33.v20201020 but somehow spring-boot-starter-jetty is dependent on jetty-servlets:9.4.48.v20220622 so it's being brought. However, it's a little waired that your second screenshot shows version 9.4.45 because I myself test it with an isolated project and the version was 9.4.48. Anyway, you can inform the implementation to not act completely transitively and exclude some dependencies like blow:
implementation("org.springframework.boot:spring-boot-starter-jetty:2.1.18.RELEASE")
{
exclude group: "org.eclipse.jetty"
}
But if there is org.eclipse.jetty that spring-boot-starter-jetty is dependent on, you had to put it inside your build.gradle or exclude the malicious module specifically like blow:
implementation("org.springframework.boot:spring-boot-starter-jetty:2.1.18.RELEASE")
{
exclude group: "org.eclipse.jetty", module: "jetty-servlets"
}

How to list "compile" configuration's "provided" dependencies? I would like to download all of the dependencies

To list dependencies with gradle:
gradlew dependencies
This will show the all of the dependencies in your current projects configurations.
For example:
testCompile - Classpath for compiling the test sources.
+--- org.robolectric:shadows-support-v4:3.1.2
| +--- org.robolectric:robolectric:3.1.2
| | +--- org.robolectric:robolectric-annotations:3.1.2
| | +--- org.robolectric:robolectric-resources:3.1.2
| | | +--- org.robolectric:robolectric-utils:3.1.2
| | | | +--- org.ow2.asm:asm:5.0.1
| | | | +--- org.ow2.asm:asm-commons:5.0.1
| | | | | \--- org.ow2.asm:asm-tree:5.0.1
| | | | | \--- org.ow2.asm:asm:5.0.1
| | | | +--- org.robolectric:robolectric-annotations:3.1.2
| | | | \--- com.google.android.apps.common.testing.accessibility.framework:accessibility-test-framework:2.1
| | | | +--- org.hamcrest:hamcrest-core:1.3
| | | | +--- org.hamcrest:hamcrest-library:1.3
| | | | | \--- org.hamcrest:hamcrest-core:1.3
| | | | \--- com.google.protobuf:protobuf-java:2.6.1
| | | +--- org.robolectric:robolectric-annotations:3.1.2
| | | +--- com.ximpleware:vtd-xml:2.11
| | | \--- com.google.guava:guava:19.0
| | +--- org.robolectric:robolectric-utils:3.1.2 (*)
| | +--- org.ow2.asm:asm:5.0.1
| | +--- org.ow2.asm:asm-util:5.0.1
| | | \--- org.ow2.asm:asm-tree:5.0.1 (*)
| | +--- org.ow2.asm:asm-commons:5.0.1 (*)
| | +--- org.ow2.asm:asm-analysis:5.0.1
| | | \--- org.ow2.asm:asm-tree:5.0.1 (*)
| | +--- org.bouncycastle:bcprov-jdk16:1.46
| | +--- com.ximpleware:vtd-xml:2.11
| | +--- com.thoughtworks.xstream:xstream:1.4.8
| | | +--- xmlpull:xmlpull:1.1.3.1
| | | \--- xpp3:xpp3_min:1.1.4c
| | +--- org.apache.ant:ant:1.8.0
| | | \--- org.apache.ant:ant-launcher:1.8.0
| | +--- org.apache.maven:maven-ant-tasks:2.1.3
| | | +--- org.apache.ant:ant:1.8.0 (*)
| | | +--- classworlds:classworlds:1.1-alpha-2
| | | +--- org.codehaus.plexus:plexus-container-default:1.0-alpha-9-stable-1
| | | | +--- junit:junit:3.8.1 -> 4.12 (*)
| | | | +--- org.codehaus.plexus:plexus-utils:1.0.4 -> 1.5.15
| | | | \--- classworlds:classworlds:1.1-alpha-2
| | | +--- org.codehaus.plexus:plexus-utils:1.5.15
| | | +--- org.codehaus.plexus:plexus-interpolation:1.11
| | | +--- org.apache.maven:maven-artifact:2.2.1
| | | | \--- org.codehaus.plexus:plexus-utils:1.5.15
| | | +--- org.apache.maven:maven-artifact-manager:2.2.1
| | | | +--- org.apache.maven:maven-repository-metadata:2.2.1
| | | | | \--- org.codehaus.plexus:plexus-utils:1.5.15
| | | | +--- org.codehaus.plexus:plexus-utils:1.5.15
| | | | +--- org.apache.maven:maven-artifact:2.2.1 (*)
| | | | +--- org.codehaus.plexus:plexus-container-default:1.0-alpha-9-stable-1 (*)
| | | | +--- org.apache.maven.wagon:wagon-provider-api:1.0-beta-6
| | | | | \--- org.codehaus.plexus:plexus-utils:1.4.2 -> 1.5.15
| | | | \--- backport-util-concurrent:backport-util-concurrent:3.1
| | | +--- org.apache.maven:maven-model:2.2.1
| | | | \--- org.codehaus.plexus:plexus-utils:1.5.15
| | | +--- org.apache.maven:maven-project:2.2.1
| | | | +--- org.apache.maven:maven-settings:2.2.1
| | | | | +--- org.apache.maven:maven-model:2.2.1 (*)
| | | | | +--- org.codehaus.plexus:plexus-interpolation:1.11
| | | | | +--- org.codehaus.plexus:plexus-utils:1.5.15
| | | | | \--- org.codehaus.plexus:plexus-container-default:1.0-alpha-9-stable-1 (*)
| | | | +--- org.apache.maven:maven-profile:2.2.1
| | | | | +--- org.apache.maven:maven-model:2.2.1 (*)
| | | | | +--- org.codehaus.plexus:plexus-utils:1.5.15
| | | | | +--- org.codehaus.plexus:plexus-interpolation:1.11
| | | | | \--- org.codehaus.plexus:plexus-container-default:1.0-alpha-9-stable-1 (*)
| | | | +--- org.apache.maven:maven-model:2.2.1 (*)
| | | | +--- org.apache.maven:maven-artifact-manager:2.2.1 (*)
| | | | +--- org.apache.maven:maven-plugin-registry:2.2.1
| | | | | +--- org.codehaus.plexus:plexus-utils:1.5.15
| | | | | \--- org.codehaus.plexus:plexus-container-default:1.0-alpha-9-stable-1 (*)
| | | | +--- org.codehaus.plexus:plexus-interpolation:1.11
| | | | +--- org.codehaus.plexus:plexus-utils:1.5.15
| | | | +--- org.apache.maven:maven-artifact:2.2.1 (*)
| | | | \--- org.codehaus.plexus:plexus-container-default:1.0-alpha-9-stable-1 (*)
| | | +--- org.apache.maven:maven-error-diagnostics:2.2.1
| | | | \--- org.codehaus.plexus:plexus-container-default:1.0-alpha-9-stable-1 (*)
| | | +--- org.apache.maven:maven-settings:2.2.1 (*)
| | | +--- org.apache.maven.wagon:wagon-file:1.0-beta-6
| | | | \--- org.apache.maven.wagon:wagon-provider-api:1.0-beta-6 (*)
| | | +--- org.apache.maven.wagon:wagon-http-lightweight:1.0-beta-6
| | | | +--- org.apache.maven.wagon:wagon-http-shared:1.0-beta-6
| | | | | +--- nekohtml:xercesMinimal:1.9.6.2
| | | | | +--- nekohtml:nekohtml:1.9.6.2
| | | | | \--- org.apache.maven.wagon:wagon-provider-api:1.0-beta-6 (*)
| | | | \--- org.apache.maven.wagon:wagon-provider-api:1.0-beta-6 (*)
| | | \--- org.apache.maven.wagon:wagon-provider-api:1.0-beta-6 (*)
| | \--- org.robolectric:shadows-core-v23:3.1.2
| | +--- org.robolectric:robolectric-annotations:3.1.2
| | +--- org.robolectric:robolectric-resources:3.1.2 (*)
| | +--- org.robolectric:robolectric-utils:3.1.2 (*)
| | +--- com.almworks.sqlite4java:sqlite4java:0.282
| | \--- com.ibm.icu:icu4j:53.1
| \--- org.robolectric:shadows-core-v23:3.1.2 (*)
Notice, the shadows-support-v4 artifact brings in robolectric artifact which brings in the dependency: org.robolectric:shadows-core-v23:3.1.2.
If we go to the build.gradle file, we notice there are provided dependencies that are not brought in: https://github.com/robolectric/robolectric/blob/f68ba6bcb51fb25a28805a3c5f7ffcee2d9560d5/robolectric-shadows/shadows-core/build.gradle#L16.
Actual pom file: http://repo1.maven.org/maven2/org/robolectric/robolectric/3.1.2/robolectric-3.1.2.pom. Provided dependencies are not added to the POM but the runtime dependencies are.
How can I go deeper and list all of the dependencies of the dependencies including any provided dependencies?

I answered this here: https://github.com/robolectric/robolectric/issues/2646
For those that are still having this problem, download all the dependencies and transitive dependencies up front for your CI:
subprojects { project ->
task downloadDependencies(type: Copy) {
description "Downloads all dependencies."
group "build"
from {
// Use of closure defers evaluation until execution time
project.configurations
.findAll { configuration -> configuration.canBeResolved }
.collect { configuration -> configuration.resolvedConfiguration.lenientConfiguration.files }
}
into "$project.buildDir/dependencies"
}
}
Example:
Step 1: gradlew downloadDependencies
Step 2: gradlew assembleDebug testDebug

Where can I find the document for `(*)` and `1.7.6 -> 1.7.7` in the output of `gradle dependencies`

For a gradle project with simple build.gradle file:
apply plugin: 'java'
repositories.jcenter()
dependencies {
compile "org.springframework.boot:spring-boot-starter-web:1.1.5.RELEASE"
compile 'org.slf4j:slf4j-api:1.7.1'
}
When I run gradle dependencies, it will show:
:dependencies
------------------------------------------------------------
Root project
------------------------------------------------------------
archives - Configuration for archive artifacts.
No dependencies
compile - Compile classpath for source set 'main'.
+--- org.springframework.boot:spring-boot-starter-web:1.1.5.RELEASE
| +--- org.springframework.boot:spring-boot-starter:1.1.5.RELEASE
| | +--- org.springframework.boot:spring-boot:1.1.5.RELEASE
| | | +--- org.springframework:spring-core:4.0.6.RELEASE
| | | | \--- commons-logging:commons-logging:1.1.3
| | | \--- org.springframework:spring-context:4.0.6.RELEASE
| | | +--- org.springframework:spring-aop:4.0.6.RELEASE
| | | | +--- aopalliance:aopalliance:1.0
| | | | +--- org.springframework:spring-beans:4.0.6.RELEASE
| | | | | \--- org.springframework:spring-core:4.0.6.RELEASE (*)
| | | | \--- org.springframework:spring-core:4.0.6.RELEASE (*)
| | | +--- org.springframework:spring-beans:4.0.6.RELEASE (*)
| | | +--- org.springframework:spring-core:4.0.6.RELEASE (*)
| | | \--- org.springframework:spring-expression:4.0.6.RELEASE
| | | \--- org.springframework:spring-core:4.0.6.RELEASE (*)
| | +--- org.springframework.boot:spring-boot-autoconfigure:1.1.5.RELEASE
| | | \--- org.springframework.boot:spring-boot:1.1.5.RELEASE (*)
| | +--- org.springframework.boot:spring-boot-starter-logging:1.1.5.RELEASE
| | | +--- org.slf4j:jcl-over-slf4j:1.7.7
| | | | \--- org.slf4j:slf4j-api:1.7.7
| | | +--- org.slf4j:jul-to-slf4j:1.7.7
| | | | \--- org.slf4j:slf4j-api:1.7.7
| | | +--- org.slf4j:log4j-over-slf4j:1.7.7
| | | | \--- org.slf4j:slf4j-api:1.7.7
| | | \--- ch.qos.logback:logback-classic:1.1.2
| | | +--- ch.qos.logback:logback-core:1.1.2
| | | \--- org.slf4j:slf4j-api:1.7.6 -> 1.7.7
| | +--- org.springframework:spring-core:4.0.6.RELEASE (*)
| | \--- org.yaml:snakeyaml:1.13
| +--- org.springframework.boot:spring-boot-starter-tomcat:1.1.5.RELEASE
| | +--- org.apache.tomcat.embed:tomcat-embed-core:7.0.54
| | +--- org.apache.tomcat.embed:tomcat-embed-el:7.0.54
| | \--- org.apache.tomcat.embed:tomcat-embed-logging-juli:7.0.54
| +--- com.fasterxml.jackson.core:jackson-databind:2.3.3
| | +--- com.fasterxml.jackson.core:jackson-annotations:2.3.0
| | \--- com.fasterxml.jackson.core:jackson-core:2.3.3
| +--- org.hibernate:hibernate-validator:5.0.3.Final
| | +--- javax.validation:validation-api:1.1.0.Final
| | +--- org.jboss.logging:jboss-logging:3.1.1.GA
| | \--- com.fasterxml:classmate:1.0.0
| +--- org.springframework:spring-core:4.0.6.RELEASE (*)
| +--- org.springframework:spring-web:4.0.6.RELEASE
| | +--- org.springframework:spring-aop:4.0.6.RELEASE (*)
| | +--- org.springframework:spring-beans:4.0.6.RELEASE (*)
| | +--- org.springframework:spring-context:4.0.6.RELEASE (*)
| | \--- org.springframework:spring-core:4.0.6.RELEASE (*)
| \--- org.springframework:spring-webmvc:4.0.6.RELEASE
| +--- org.springframework:spring-beans:4.0.6.RELEASE (*)
| +--- org.springframework:spring-context:4.0.6.RELEASE (*)
| +--- org.springframework:spring-core:4.0.6.RELEASE (*)
| +--- org.springframework:spring-expression:4.0.6.RELEASE (*)
| \--- org.springframework:spring-web:4.0.6.RELEASE (*)
\--- org.slf4j:slf4j-api:1.7.1 -> 1.7.7
There are two things I'm not very sure, although I've read some articles:
(*) means this dependency is already present and download in previous steps
1.7.1 -> 1.7.7 this dependency is declared as 1.7.1, but gradle decide to use 1.7.7 after conflict resolution
Not sure if my understanding correct, how can I find some official document to explain them? I searched the gradle website, but not find yet

While not an official documentation, I found the following in gradle dependency-resolution-reporting.md design-doc:
avoid regression of current features:
subtree is omitted (*)
Note, however, that this design-doc was changed on April 2 (see change here) as part of the work on the release of v2.5 and this comment was removed from this document.

Resources