Gradle includes transitive dependencies that are excluded in maven when both use the same dependency

I have noticed a difference in the dependency tree for the same dependency between maven and gradle. It seems that gradle doesn’t honor excludes in dependencyManagement of a parent pom (I haven’t been able to distill it down any more than this).

env info: ------------------------------------------------------------ Gradle 1.2 ------------------------------------------------------------

Gradle build time: Wednesday, September 12, 2012 10:46:02 AM UTC Groovy: 1.8.6 Ant: Apache Ant™ version 1.8.4 compiled on May 22 2012 Ivy: 2.2.0 JVM: 1.6.0_17 (Sun Microsystems Inc. 14.3-b01) OS: Windows XP 5.1 x86

Maven pom:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>org.test.maven.dependency</groupId>
    <artifactId>dependency-missing</artifactId>
 <version>1.0</version>
    <packaging>pom</packaging>
    <name>Test missing transitive dependencies</name>
 <dependencies>
        <dependency>
            <groupId>org.jboss.ws.native</groupId>
            <artifactId>jbossws-native-core</artifactId>
            <version>3.3.0.Beta4</version>
        </dependency>
  </dependencies>
</project>

build.gradle:

group = 'org.test.gradle.dependency'
description = 'Gradle test missing dependency'
  repositories {
    mavenRepo urls: ["file://C:/dev/.m2/"]
}
   configurations {
 missing
}
  dependencies {
  missing "org.jboss.ws.native:jbossws-native-core:3.3.0.Beta4"
}

mvn dependency:tree gives: [INFO] — maven-dependency-plugin:2.1:tree (default-cli) @ dependency-missing — [INFO] org.test.maven.dependency:dependency-missing:pom:1.0 [INFO] - org.jboss.ws.native:jbossws-native-core:jar:3.3.0.Beta4:compile [INFO]

± org.jboss.ws:jbossws-common:jar:1.3.0.Beta3:compile [INFO]

| ± jboss.jaxbintros:jboss-jaxb-intros:jar:1.0.2.GA:compile [INFO]

| | - commons-beanutils:commons-beanutils:jar:1.8.0:compile [INFO]

| - junit:junit:jar:3.8.2:compile [INFO]

± org.jboss.ws:jbossws-framework:jar:3.3.0.Beta3:compile [INFO]

± org.jboss.ws:jbossws-spi:jar:1.3.0.Beta3:compile [INFO]

| ± org.apache.ant:ant:jar:1.7.1:compile [INFO]

| | - org.apache.ant:ant-launcher:jar:1.7.1:compile [INFO]

| ± dom4j:dom4j:jar:1.6.1:compile [INFO]

| | - xml-apis:xml-apis:jar:1.0.b2:compile [INFO]

| - gnu-getopt:getopt:jar:1.0.13:compile [INFO]

± javax.xml:jaxrpc-api:jar:1.1:compile [INFO]

± javax.xml.soap:saaj-api:jar:1.3:compile [INFO]

± org.jboss.ws.native:jbossws-native-factories:jar:3.3.0.Beta4:compile [INFO]

± javax.xml.ws:jaxws-api:jar:2.2:compile [INFO]

± javax.jws:jsr181-api:jar:1.0-MR1:compile [INFO]

± commons-logging:commons-logging:jar:1.1.1:compile [INFO]

± com.sun.xml.bind:jaxb-impl:jar:2.2:compile [INFO]

± com.sun.xml.bind:jaxb-xjc:jar:2.2:compile [INFO]

± com.sun.xml.fastinfoset:FastInfoset:jar:1.2.2:compile [INFO]

± com.sun.xml.ws:jaxws-rt:jar:2.2:compile [INFO]

| ± com.sun.xml.stream.buffer:streambuffer:jar:1.0:compile [INFO]

| ± org.codehaus.woodstox:wstx-asl:jar:3.2.3:compile [INFO]

| ± org.jvnet.staxex:stax-ex:jar:1.2:compile [INFO]

| ± com.sun.org.apache.xml.internal:resolver:jar:20050927:compile [INFO]

| - com.sun.xml.ws:policy:jar:2.2.1:compile [INFO]

|

± com.sun.xml.txw2:txw2:jar:20090102:compile [INFO]

|

- com.sun.istack:istack-commons-runtime:jar:2.2:compile [INFO]

± com.sun.xml.ws:jaxws-tools:jar:2.2:compile [INFO]

± org.codehaus.jettison:jettison:jar:1.0-RC2:compile [INFO]

| - stax:stax-api:jar:1.0.1:compile [INFO]

± javax.xml.bind:jaxb-api:jar:2.2:compile [INFO]

| ± javax.xml.stream:stax-api:jar:1.0-2:compile [INFO]

| - javax.activation:activation:jar:1.1:compile [INFO]

± javax.mail:mail:jar:1.4:compile [INFO]

± org.jboss.netty:netty:jar:3.1.5.GA:compile [INFO]

± org.apache.ws.policy:wscommons-policy:jar:1.0:compile [INFO]

± org.codehaus.woodstox:wstx-lgpl:jar:3.2.6:compile [INFO]

± wsdl4j:wsdl4j:jar:1.6.1:compile [INFO]

± org.apache:xmlsec:jar:1.4.3:compile [INFO]

- javassist:javassist:jar:3.6.0.GA:compile

gradle dependencies: missing — org.jboss.ws.native:jbossws-native-core:3.3.0.Beta4

±-- org.jboss.ws:jbossws-common:1.3.0.Beta3

|

±-- org.jboss.ws:jbossws-spi:1.3.0.Beta3

|

|

±-- org.apache.ant:ant:1.7.1

|

|

|

— org.apache.ant:ant-launcher:1.7.1

|

|

±-- dom4j:dom4j:1.6.1

|

|

|

— xml-apis:xml-apis:1.0.b2

|

|

— gnu-getopt:getopt:1.0.13

|

±-- jboss.jaxbintros:jboss-jaxb-intros:1.0.2.GA

|

|

±-- commons-beanutils:commons-beanutils:1.8.0

|

|

|

— commons-logging:commons-logging:1.1.1

|

|

— commons-logging:commons-logging:1.1.1 (*)

|

— junit:junit:3.8.2

±-- org.jboss.ws:jbossws-framework:3.3.0.Beta3

|

±-- org.jboss.ws:jbossws-common:1.3.0.Beta3 (*)

|

— org.jboss.ws:jbossws-spi:1.3.0.Beta3 (*)

±-- org.jboss.ws:jbossws-spi:1.3.0.Beta3 (*)

±-- javax.xml:jaxrpc-api:1.1

±-- javax.xml.soap:saaj-api:1.3 -> 1.3.1

|

— javax.activation:activation:1.1

±-- org.jboss.ws.native:jbossws-native-factories:3.3.0.Beta4

±-- javax.xml.ws:jaxws-api:2.2

|

±-- javax.xml.bind:jaxb-api:2.2

|

|

±-- javax.xml.stream:stax-api:1.0-2

|

|

— javax.activation:activation:1.1 (*)

|

±-- javax.xml.soap:saaj-api:1.3 -> 1.3.1 (*)

|

±-- javax.annotation:jsr250-api:1.0

|

— javax.jws:jsr181-api:1.0-MR1

±-- javax.jws:jsr181-api:1.0-MR1 (*)

±-- commons-logging:commons-logging:1.1.1 (*)

±-- com.sun.xml.bind:jaxb-impl:2.2

|

— javax.xml.bind:jaxb-api:2.2 (*)

±-- com.sun.xml.bind:jaxb-xjc:2.2

|

— com.sun.xml.bind:jaxb-impl:2.2 (*)

±-- com.sun.xml.fastinfoset:FastInfoset:1.2.2

±-- com.sun.xml.ws:jaxws-rt:2.2

|

±-- javax.xml.ws:jaxws-api:2.2 (*)

|

±-- com.sun.xml.bind:jaxb-impl:2.2 (*)

|

±-- com.sun.xml.messaging.saaj:saaj-impl:1.3.4

|

|

±-- javax.xml.soap:saaj-api:1.3.1 (*)

|

|

— org.jvnet:mimepull:1.4

|

±-- com.sun.xml.stream.buffer:streambuffer:1.0

|

|

±-- org.jvnet.staxex:stax-ex:RELEASE -> 1.2

|

|

|

±-- javax.xml.stream:stax-api:1.0 -> 1.0-2 (*)

|

|

|

±-- javax.activation:activation:1.1 (*)

|

|

|

— junit:junit:3.8 -> 3.8.2 (*)

|

|

— javax.activation:activation:1.1 (*)

|

±-- org.codehaus.woodstox:wstx-asl:3.2.3

|

|

— stax:stax-api:1.0.1

|

±-- org.jvnet.staxex:stax-ex:1.2 (*)

|

±-- com.sun.org.apache.xml.internal:resolver:20050927

|

±-- org.jvnet:mimepull:1.4 (*)

|

±-- com.sun.xml.ws:policy:2.2.1

|

|

±-- stax:stax-api:1.0.1 (*)

|

|

±-- com.sun.xml.txw2:txw2:20090102

|

|

±-- com.sun.istack:istack-commons-runtime:2.2

|

|

|

±-- stax:stax-api:1.0.1 (*)

|

|

|

— javax.activation:activation:1.1 (*)

|

|

— org.codehaus.woodstox:wstx-asl:3.2.3 (*)

|

— org.glassfish.gmbal:gmbal-api-only:3.0.0-b023

|

— org.glassfish.external:management-api:3.0.0-b012

±-- com.sun.xml.ws:jaxws-tools:2.2

|

±-- com.sun.xml.ws:jaxws-rt:2.2 (*)

|

— com.sun.xml.bind:jaxb-xjc:2.2 (*)

±-- org.codehaus.jettison:jettison:1.0-RC2

|

— stax:stax-api:1.0.1 (*)

±-- javax.xml.bind:jaxb-api:2.2 (*)

±-- javax.mail:mail:1.4

|

— javax.activation:activation:1.1 (*)

±-- org.jboss.netty:netty:3.1.5.GA

±-- org.apache.ws.policy:wscommons-policy:1.0

±-- org.codehaus.woodstox:wstx-lgpl:3.2.6

|

— stax:stax-api:1.0.1 (*)

±-- wsdl4j:wsdl4j:1.6.1

±-- org.apache:xmlsec:1.4.3

— javassist:javassist:3.6.0.GA

The one I’m looking at specifically is com.sun.xml.ws:jaxws-rt:jar:2.2:compile. In maven this doesn’t include org.glassfish.gmbal:gmbal-api-only:3.0.0-b023 (and some others), but it does in gradle. The parent of org.jboss.ws.native:jbossws-native-core:3.3.0.Beta4 (jbossws-native) specifically excludes this dependency in its dependencyManagement section:

<dependency>
        <groupId>com.sun.xml.ws</groupId>
        <artifactId>jaxws-rt</artifactId>
        <version>${sun.jaxws.version}</version>
        <exclusions>
          <exclusion>
            <groupId>javax.xml.ws</groupId>
            <artifactId>jaxws-api</artifactId>
          </exclusion>
          <exclusion>
            <groupId>com.sun.xml.messaging.saaj</groupId>
            <artifactId>saaj-impl</artifactId>
          </exclusion>
          <exclusion>
            <groupId>com.sun.xml.stream</groupId>
            <artifactId>sjsxp</artifactId>
          </exclusion>
          <exclusion>
            <groupId>javax.xml.stream</groupId>
            <artifactId>stax-api</artifactId>
          </exclusion>
          <exclusion>
            <groupId>com.sun.xml.bind</groupId>
            <artifactId>jaxb-impl</artifactId>
          </exclusion>
          <exclusion>
            <groupId>javax.xml.bind</groupId>
            <artifactId>jaxb-api</artifactId>
          </exclusion>
          <exclusion>
            <groupId>org.jvnet</groupId>
            <artifactId>mimepull</artifactId>
          </exclusion>
          <exclusion>
            <groupId>org.glassfish.gmbal</groupId>
            <artifactId>gmbal-api-only</artifactId>
          </exclusion>
        </exclusions>
      </dependency>

I would expect gradle to use the same dependency tree maven is reporting.

Can you provide a reproducible example, i.e. one whose dependencies can be resolved from a public Maven repository?

I think this script should do it:

repositories {
    mavenCentral()
          maven {
        name 'jboss'
        url 'https://repository.jboss.org/nexus/content/groups/public'
    }
          maven {
        name 'jboss-deprecated'
        url 'https://repository.jboss.org/nexus/content/repositories/deprecated'
    }
          maven {
        name 'jemos'
        url 'http://www.jemos.eu/nexus/content/repositories/public'
    }
}
  configurations {
    jboss
}
  dependencies {
    jboss 'org.jboss.ws.native:jbossws-native-core:3.3.0.Beta4'
}