Search code examples
gradleamazon-s3dependenciesnettyowasp

How to force specific version of a transitive dependency (netty-codec-http) in gradle?


I am trying to use version 4.1.100.Final for the netty-codec-http library as the OWASP dependency checker marks the netty* dependancies as HIGH. It is pulled out by amazon s3 dependency. Here is my build.gradle file. I am using gradle 8.3 and jdk11.

plugins {
    id 'java'
    id 'org.springframework.boot' version '2.7.16'
    id 'io.spring.dependency-management' version '1.0.15.RELEASE'
    id "org.owasp.dependencycheck" version "8.2.1"
}

group = 'com.test'
version = '0.0.1-SNAPSHOT'

java {
    sourceCompatibility = '11'
}

repositories {
    mavenCentral()
}

configurations.all {
    resolutionStrategy {
        force 'io.netty:netty-codec-http:4.1.100.Final'
    }
}

dependencies {
    implementation 'org.springframework.boot:spring-boot-starter'
    testImplementation 'org.springframework.boot:spring-boot-starter-test'
    implementation platform("software.amazon.awssdk:bom:2.21.0")
    implementation "software.amazon.awssdk:sdk-core"
    implementation "software.amazon.awssdk:s3"
    implementation "software.amazon.awssdk:route53"
    implementation "software.amazon.awssdk:route53resolver"
}

tasks.named('test') {
    useJUnitPlatform()
}

I have followed this link to setup AWS on gradle.

The dependency checker still shows the 4.1.97.Final version and marks it as HIGH. I am using the following command to generate the OWASP report:

./gradlew dependencyCheckAnalyze

Solution

  • As a start you should stop using the Spring dependency management plugin. It is an obsolete relict from times when Gradle did not have built-in BOM support and even its maintainer recommends not to use it anymore. By now it does more harm than good and does not really have any added value. You should instead just use the built-in BOM support using platform(...).

    This will most probably also resolve your issue already, as that plugin also does a similar forcing like you try to do and obviously overwrites your try to force the version.

    But actually, you should also not do this big-hammer forcing of a version, but instead set a strict version constraint like with

    dependencies {
        constraints {
            implementation("io.netty:netty-codec-http:4.1.100.Final!!")
        }
    }