Maven-publish generates pom with wrong dependency

When maven-publish generates my pom it does not completely reflect my dependencies correctly. I came across other posts related to this but couldn’t figure out if the question/bug below was already raised or not.

If I have - for example - a multi project setup where the same dependency is used more than once but with different versions then gradle will resolve the dependency conflict (log4j 1.2.16 in the example below) however maven-publish will stick with the project dependency (a: log4j 1.2.15 and b: log4j 1.2.16).

a/build.gradle

dependencies {
  compile group: 'log4j', name: 'log4j', version: '1.2.15'
  compile project(path: ':b')
}

b/build.gradle

dependencies {
  compile group: 'log4j', name: 'log4j', version: '1.2.16'
}

root project build.gradle

allprojects {
    version = '1.0'
    group = 'com.test'

    apply plugin: 'java'
    apply plugin: 'maven'
    apply plugin: 'maven-publish'

    repositories {
      mavenCentral()
    }

    publishing {
        publications {
            test (MavenPublication) {
                from components.java
            }
        }
        repositories {
            maven {
                url "$buildDir/repo"
            }
        }
    }
}

settings.gradle

include 'a'
include 'b'

rootProject.name = 'gradle-maven-publish-test'

Gradle resolves log4j to version 1.2.16

./gradlew a:dependencies --configuration compile :a:dependencies
------------------------------------------------------------
Project :a
------------------------------------------------------------

compile - Compile classpath for source set 'main'.
+--- log4j:log4j:1.2.15 -> 1.2.16
\--- project :b
     \--- log4j:log4j:1.2.16

However maven resolves to 1.2.15

./gradlew generatePomFileForTestPublication
mvn -f a/build/publications/test/pom-default.xml dependency:tree -Dincludes=log4j:log4j

log4j 1.2.15 has a some sun dependencies which cannot be resolved (this is a separate topic, I know)

[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building a 1.0
[INFO] ------------------------------------------------------------------------
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
...
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal on project a: Could not resolve dependencies for project com.test:a:jar:1.0: The following artifacts could not be resolved: com.sun.jdmk:jmxtools:jar:1.2.1, com.sun.jmx:jmxri:jar:1.2.1: Could not transfer artifact com.sun.jdmk:jmxtools:jar:1.2.1 from/to java.net (https://maven-repository.dev.java.net/nonav/repository): Cannot access https://maven-repository.dev.java.net/nonav/repository with type legacy using the available connector factories: BasicRepositoryConnectorFactory: Cannot access https://maven-repository.dev.java.net/nonav/repository with type legacy using the available layout factories: Maven2RepositoryLayoutFactory: Unsupported repository layout legacy -> [Help 1]
...

However b works fine with 1.2.16

$ mvn -f b/build/publications/test/pom-default.xml dependency:tree -Dincludes=log4j:log4j
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512m; support was removed in 8.0
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building b 1.0
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ b ---
[INFO] com.test:b:jar:1.0
[INFO] \- log4j:log4j:jar:1.2.16:runtime
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------

I can see arguments for both sides

  • generated pom should include log4j-1.2.15 because that’s what’s asked for
    vs
  • generated pom should include log4j-1.2.16 because it’s a generated pom after all for this particular project and in the end I will end up using log4j-1.2.16.

When searching, I also came across: https://issues.gradle.org/browse/GRADLE-3120. Is was wondering if it is the same problem or if this is another one?