How to force specific version of a transitive dependency (netty-codec-http) in gradle?

I am trying to use version 4.1.100.Final for the netty-codec-http library as the OWASP dependency checker marks the netty* dependancies as HIGH. It is pulled out by amazon s3 dependency. Here is my build.gradle file. I am using gradle 8.3 and jdk11.

plugins {
	id 'java'
	id 'org.springframework.boot' version '2.7.16'
	id 'io.spring.dependency-management' version '1.0.15.RELEASE'
	id "org.owasp.dependencycheck" version "8.2.1"
}

group = 'com.test'
version = '0.0.1-SNAPSHOT'

java {
	sourceCompatibility = '11'
}

repositories {
	mavenCentral()
}

configurations.all {
    resolutionStrategy {
        force 'io.netty:netty-codec-http:4.1.100.Final'
    }
}

dependencies {
	implementation 'org.springframework.boot:spring-boot-starter'
	testImplementation 'org.springframework.boot:spring-boot-starter-test'
	implementation platform("software.amazon.awssdk:bom:2.21.0")
	implementation "software.amazon.awssdk:sdk-core"
	implementation "software.amazon.awssdk:s3"
	implementation "software.amazon.awssdk:route53"
	implementation "software.amazon.awssdk:route53resolver"
}

tasks.named('test') {
	useJUnitPlatform()
}

I have followed this link to setup AWS on gradle.

The dependency checker still shows the 4.1.97.Final version and marks it as HIGH. I am using the following command to generate the OWASP report:

./gradlew dependencyCheckAnalyze

I have also posted this issue on stackoverflow. Link here.

I answered over there

1 Like