Is it possible to control the resolution of dependencies of plugins like you can for regular compile/test/etc dependencies to control transitive dependencies of a plugin?
Working in a corporate environment we already retrieve compile/test dependencies through a local proxy/mirror rather than connecting to Maven Central directly. All vulnerable log4j-core versions of Log4j have been removed from this mirror. I can successfully force the resolution of any transitive log4j-core dependencies of a compile/test dependency to a safe version using:
configurations.all {
resolutionStrategy.eachDependency { DependencyResolveDetails details →
if (details.requested.group == ‘org.apache.logging.log4j’) {
details.useVersion ‘2.16.0’
}
}
}
We should probably really proxy/mirror the the Gradle plugin repository too, and exclude vulnerable log4j-core implementations from that too. However if we go down that route is there any way force a log4j-core transitive dependency of a plugin to a safe version?
pluginManagement {
resolutionStrategy { }
}
only appears to apply to the resolution of the plugins themselves, not their dependencies, and the previous
configurations.all {
resolutionStrategy.eachDependency { }
}
rules aren’t applied either
Thanks,
Paul