How to use the same locked dependencies among all sub-projects

aaronabf · December 2, 2019, 8:09pm

Background

We have a multi-project build running the latest version of Gradle, v6.0.1. Each sub-project declares its own dependencies along with any restrictions necessary for the project to run properly. We wish for all of our code to compile and run with the same dependencies in both testing and production.

Issue

As part of our build pipeline we ensure dependency resolution can succeed with proper conflict resolution and then lock all dependencies. However, we recently realized that sub-projects were not compiling with the locked dependencies. This is because each sub-project looks for dependency locks in its own gradle/dependency-locks directory and we are only generating these file in our root project.

For instance we notice discrepancies such as

$ ./gradlew :dependencies | grep this-is:a-dependency | sort -u | head -n1
+--- this-is:a-dependency:2.0

$ ./gradlew :some-subproject:dependencies | grep this-is | sort -u | head -n1
|   \--- this-is:a-dependency:1.0

How to Fix?

An easy fix is to create a custom task that copies the root project’s dependency lock directory into each sub-project’s dependency lock directory before compile time. However this feels somewhat hacky. Is there a more proper way to achieve the desired result?

marco-schmidt · December 4, 2019, 11:49am

@aaronabf

I’ve fixed some dependency versions for all configurations by iterating over all dependencies of all configurations like this:

github.com

marco-schmidt/am/blob/4d6af57acf8c1ca267413ebb88257dcd6b709d0a/build.gradle#L51


dependencies {
    implementation group: 'org.slf4j', name: 'slf4j-api', version: '1.7.29'
    implementation group: 'ch.qos.logback', name: 'logback-classic', version: '1.2.3'
    implementation group: 'com.github.mjeanroy', name: 'exiftool-lib', version: '2.5.0'
    implementation group: 'org.eclipse.rdf4j', name: 'rdf4j-repository-sparql', version: '3.0.3'
    implementation group: 'org.wikidata.wdtk', name: 'wdtk-wikibaseapi', version: '0.11.0'
    implementation group: 'org.xerial', name: 'sqlite-jdbc', version: '3.28.0'
    testImplementation 'junit:junit:4.12'
}


configurations.all {
  resolutionStrategy.eachDependency { DependencyResolveDetails details ->
    if (details.requested.group == 'com.fasterxml.jackson.core' && details.requested.name == 'jackson-databind') {
      details.useVersion '2.10.1'
      details.because 'CVE-2019-16942, CVE-2019-16943'
    }
    if (details.requested.group == 'commons-beanutils' && details.requested.name == 'commons-beanutils') {
      details.useVersion '1.9.4'
      details.because 'CVE-2019-10086'
    }
    if (details.requested.group == 'org.apache.commons' && details.requested.name == 'commons-compress') {

I’ve copied and adapted this and would also like to know if there is a reason not to do it like this. Possibly tools do not take this statement into consideration when running a vulnerability analysis or checking for updates.

Greetings
Marco

aaronabf · December 9, 2019, 5:41pm

Hi Marco,

How would this sync dependencies such that sub-projects would use the correct dependencies? I do not see any way this could be used to achieve the desired goal.

Let me know if I am missing something.

Aaron

marco-schmidt · December 10, 2019, 1:52pm

Hi Aaron, this forces all subprojects to use the same version of particular dependencies instead of defining them per subproject. That’s how I understood your original request. Greetings Marco

aaronabf · January 27, 2020, 8:47pm

However we want our sub-projects to define their own dependencies. This is more modular and allows them to be passed around among different projects.