How to set Gradle transitive dependency version?

Question

In our project we are using the following Groovy dependency:

compile("org.codehaus.groovy:groovy-all:2.5.8")

The issue is that this dependency has multiple transitive dependencies, one of them is:

org.apache.ant:ant 1.9.13

which has some vulnerabilities and needs to get upgrade to version 1.10.8 which they got fixed at. When I upgrade the parent groovy-all:2.5.8 to the latest version I can still see it gets the problematic org.apache.ant:ant 1.9.13 dependency:

+--- org.codehaus.groovy:groovy-all:3.0.6
|    +--- org.codehaus.groovy:groovy:3.0.6 -> 2.5.10
|    +--- org.codehaus.groovy:groovy-ant:3.0.6 -> 2.5.10
|    |    +--- org.codehaus.groovy:groovy:2.5.10
|    |    +--- org.apache.ant:ant:1.9.13

Is there any way forcing Gradle to brings back the version I need?

Answer 1

Enforce Version

You can override transitive dependency versions with gradle (see: gradle docs) using the constraints keyword:

constraints {
    implementation('org.apache.ant:ant') {
        version {
            require '1.10.12'
            reject '1.9.13'
        }

        because('Versions < 1.10.11 got several vulnerabilities: CVE-2021-36374, CVE-2021-36373, CVE-2020-11979')
    }
}

Verify

The easiest way to verify that the dependency enforcement is working will be as follows:

./gradlew -q dependencyInsight --dependency ant

You'll then see something like this, indicating the accomplished upgrade of the version.

org.apache.ant:ant:1.9.13 -> 1.10.12