Issue Fetching Dependencies from sub projects

I have projects ingress-common , ingress-core and ingress is the main project.
After upgrading the version from 6.8.3 to 8.2.1.
Below is the build.gradle of ingress-core

apply plugin: "java"

dependencies {
  implementation 'org.apache.commons:commons-lang3:3.6'
    implementation 'javax.servlet:javax.servlet-api:3.1.0'
    implementation 'com.google.code.gson:gson:2.8.9'
    implementation 'org.glassfish.jersey.inject:jersey-hk2:2.26'
    implementation("org.glassfish.jersey.containers:jersey-container-servlet-core:2.35") {
     exclude module: "org.glassfish.hk2.external:jakarta.inject:2.6.1"
  }
  
  // Dependent projects
  implementation project(':ingress-common')
  
  testImplementation 'org.slf4j:slf4j-api:1.7.21'
  testImplementation 'org.mockito:mockito-core:3.8.0'
  
  // Temporary mitigation for CVE-2021-44228
  // https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
  configurations.all {
    resolutionStrategy.eachDependency { DependencyResolveDetails details ->
        if (details.requested.group == 'org.apache.logging.log4j') {
            details.useVersion '2.17.1'
        }
    }
  }
}

and the below is ingress-common

// Project name: ingress-common
apply plugin: 'java'

dependencies {
	  implementation 'com.google.guava:guava:30.0-jre'
	  implementation 'commons-io:commons-io:2.7'
	  implementation('org.apache.commons:commons-lang3:3.6') {
                exclude module: 'commons-io'
    }
	  implementation 'com.cloudant:cloudant-client:2.19.1'
	  implementation 'com.google.code.gson:gson:2.8.9'
    implementation 'com.fasterxml.jackson.core:jackson-databind:2.12.6.1'
	  implementation("javax.ws.rs:javax.ws.rs-api:2.1")  {
                exclude module: 'jackson-databind'
    }
	  implementation 'org.apache.httpcomponents:httpclient:4.5.13'
    implementation 'org.apache.logging.log4j:log4j-api:2.17.1'
    implementation 'org.apache.logging.log4j:log4j-core:2.17.1'
    implementation 'com.rapid7:r7insight_java:3.0.15'
    implementation("org.apache.poi:poi-ooxml:4.1.1") {
                exclude module: 'commons-compress'
    }
    implementation 'org.apache.commons:commons-compress:1.21' // Added to fix AppScan vulnerability
    implementation 'com.sendgrid:sendgrid-java:4.4.8'
    implementation 'com.thoughtworks.xstream:xstream:1.4.18'
    implementation 'javax.xml.bind:jaxb-api:2.3.1'
	testImplementation 'org.slf4j:slf4j-api:1.7.21'
  testImplementation 'org.mockito:mockito-core:3.8.0'
	
  // Temporary mitigation for CVE-2021-44228
  // https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
  configurations.all {
    resolutionStrategy.eachDependency { DependencyResolveDetails details ->
        if (details.requested.group == 'org.apache.logging.log4j') {
            details.useVersion '2.17.1'
        }
    }
  }
}

while doing gradle build facing issues having log4j dependency in ingress-core.

Can someone pls kindly let me know if I am missing something in linking the projects ?.

What problem / error / … do you get?
Can you share a build --scan?

I am getting package not found error during ingress-core building the below is the sample error I am getting after

You declare log4j as implementation dependency of ingress-common.
This means it does not leak into the compile classpath of downstream projects.
Because of that it is not available in the compile classpath of ingress-core.
You should declare log4j as implementation dependency for ingress-core separately.

1 Like