Dependency shows up in gradle cache but nowhere in dependency tree

I’m relatively new to Gradle but I’ve asked around on stack overflow and to people more familiar and have been unable to find an answer to this question. I have been tasked with upgrading dependencies which show up in a Whitesource scan. A few of these dependencies I am unable to find the source of (i.e. they are not direct dependencies and do not show up anywhere when I print the dependency tree). If I clear out the gradle cache and rebuild however they will be redownloaded and appear in the cache. Is there a way to track down which dependency/source is bringing these dependencies in and force it to use an upgraded version? In my case the dependency I am having the most difficulty tracking down is xstream version 1.4.10. I’ve tried adding a direct dependency to 1.4.11 and tried excluding 1.4.10 but it still shows up. Here is a scan of my package if it is any help https://scans.gradle.com/s/x4vfkmphui7mi

Hi @thurmc,

Welcome! :slight_smile:

The dependencies you are not seeing in the tree might be dependencies of the plugins you have applied. These are required by Gradle itself to run the build with plugins. So they are downloaded early before the actual build starts, because they are needed to run the build.

If you produce a build scan with Gradle 6, there should be an additional category in the build scan called “Build Dependencies” which would show you these dependencies.

With earlier Gradle versions, you can try running the buildEnvironment task from the command line.