Dependency shows up in gradle cache but nowhere in dependency tree

I’m relatively new to Gradle but I’ve asked around on stack overflow and to people more familiar and have been unable to find an answer to this question. I have been tasked with upgrading dependencies which show up in a Whitesource scan. A few of these dependencies I am unable to find the source of (i.e. they are not direct dependencies and do not show up anywhere when I print the dependency tree). If I clear out the gradle cache and rebuild however they will be redownloaded and appear in the cache. Is there a way to track down which dependency/source is bringing these dependencies in and force it to use an upgraded version? In my case the dependency I am having the most difficulty tracking down is xstream version 1.4.10. I’ve tried adding a direct dependency to 1.4.11 and tried excluding 1.4.10 but it still shows up. Here is a scan of my package if it is any help

Hi @thurmc,

Welcome! :slight_smile:

The dependencies you are not seeing in the tree might be dependencies of the plugins you have applied. These are required by Gradle itself to run the build with plugins. So they are downloaded early before the actual build starts, because they are needed to run the build.

If you produce a build scan with Gradle 6, there should be an additional category in the build scan called “Build Dependencies” which would show you these dependencies.

With earlier Gradle versions, you can try running the buildEnvironment task from the command line.

hi @jendrik
How can we clear such dependency from cache which are overridden by one in our dependency tree. ? For example plugin added gson dependency 2.8.6 into cache and our app added gson 2.9.0 now latest version will be used but 2.8.6 will still remain in cache how to clear it ?

AFAIC there is no functionality in Gradle to clear things from the dependencies cache. The cache is shared by all Gradle build running on one machine (see also my video on the topic Understanding Gradle #23 – Caching - YouTube).

Usually there is no need to remove selected things from the cache. But if you want to do that you would need to manually delete entries from $GRADLE_HOME/caches/modules-<version>. See this doc for an overview of the cache structure: Understanding dependency resolution

Or just wait.
If a cache entry is not used by any build for 30 days, it is cleaned by a periodic cleanup task that is done at most every 24 hours when you actually run a build.