I’m attempting to upgrade an app I manage to satisfy a Checkmarx vulnerability scan. The scan is showing I am using an out of date version of org.apache.ivy and the issue is via Maven. To fix this I’ve I’ve added
all {
resolutionStrategy {
force ‘org.apache.ivy:ivy:2.5.2’
}
}
If I run gradlew dependencies I only see the 2.5.2 version show in the tree as I expect. When I submit the build to Jenkins and have the Checkmarx scan run, it still shows that the older version of Ivy is present in the gradle cache path. What can I do to force only the newest version there?
Try this way in dependencies block :
dependencies {
//...
implementation('org.apache.ivy:ivy') {
version {
strictly '[2.5.2]'
}
}
//...
}
For more details about that implementation https://docs.gradle.org/current/userguide/rich_versions.html#rich-version-constraints This should solve your issue.