New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gradle 7.3.2 added a constraint and it show as a depencendy update #576
Comments
The gradle-versions-plugin/src/main/groovy/com/github/benmanes/gradle/versions/updates/Resolver.groovy Lines 292 to 301 in a51972b
|
From what I can tell Gradle adds the constraint to the
So I believe it should be possible to modify gradle-versions-plugin/src/main/groovy/com/github/benmanes/gradle/versions/updates/Resolver.groovy Line 418 in a51972b
@ben-manes Does that sound about right? |
If that’s the right approach, then I think when providing the configuration we could instruct whether it’s from the buildscript. Lines 50 to 55 in a51972b
|
Ah |
@ErwanLeroux you're welcome to submit a PR (+ unit test) if you'd like to make this change. If you prefer, you could sniff for log4j only to ignore it if a buildscript configuration. |
@ben-manes I'm working on it, starting with the unit-test :) |
Wonderful! Thank you 🙂 FYI, you can increment the plugin's version and then use |
…nable the checking of external constraints (ben-manes#576)
…nable the checking of external constraints (#576)
solved in #577 |
Hello, I noticed something when upgrading from gradle 7.3 to 7.3.2, log4j-core is shown as an update even if the dependency is not in the project
It took me a while to understand that it was because Gradle added a constraint in 7.3.2, to help mitigate https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105
Mitigations for log4j vulnerability in Gradle builds (logj4:2.16.0) gradle/gradle#19300
Should the plugin tell us about this constraint if we can't do anything about it ? And if no, how can we configure the plugin to ignore that particular constraint, like we can do with
Could the report be more explicit that the update is from a constraint instead a dependency ?
I made a project to reproduce the context : https://github.com/ErwanLeroux/dU-mcve but it can resumed as
I look forward to ear from you, I really like this plugin :)
The text was updated successfully, but these errors were encountered: