Why this dependency constraints don't work

splix · December 11, 2021, 9:08pm

Following the news about Log4J2 vulnerability and Cédric’s tweet https://twitter.com/CedricChampeau/status/1469608906196410368 I tried to apply constraints to my Gradle script.

I added following:

    constraints {
        add("implementation", "org.apache.logging.log4j:log4j-core") {
            version {
                strictly("[2.15")
                prefer("2.15.0")
            }
            because("CVE-2021-44228 Log4j 2 Vulnerability")
        }
    }

Also I have following to use log4j through slf4j:

    implementation "org.slf4j:slf4j-api:1.7.32"
    implementation "org.apache.logging.log4j:log4j-slf4j-impl:2.15.0"
    implementation "org.slf4j:jul-to-slf4j:1.7.32"
    implementation "org.slf4j:jcl-over-slf4j:1.7.32"

(all other possible dependencies on log4j could be only through a transitive dependency)

Unfortunately I don’t see any effect of the constraint and I’m trying to understand what I’m doing wrong:

$ gradle dependencyInsight --dependency org.apache.logging.log4j

> Task :dependencyInsight
org.apache.logging.log4j:log4j-api:2.13.3
   variant "compile" [
      org.gradle.status                  = release (not requested)
      org.gradle.usage                   = java-api
      org.gradle.libraryelements         = jar (compatible with: classes+resources)
      org.gradle.category                = library

      Requested attributes not found in the selected variant:
         org.gradle.dependency.bundling     = external
         org.gradle.jvm.environment         = standard-jvm
         org.jetbrains.kotlin.platform.type = jvm
         org.gradle.jvm.version             = 13
   ]
   Selection reasons:
      - Selected by rule
      - By constraint : CVE-2021-44228 Log4j 2 Vulnerability

org.apache.logging.log4j:log4j-api:{strictly [2.15; prefer 2.15.0} -> 2.13.3
\--- compileClasspath

org.apache.logging.log4j:log4j-api:2.15.0 -> 2.13.3
\--- org.apache.logging.log4j:log4j-slf4j-impl:2.15.0
     \--- compileClasspath

org.apache.logging.log4j:log4j-slf4j-impl:2.15.0 (selected by rule)
   variant "compile" [
      org.gradle.status                  = release (not requested)
      org.gradle.usage                   = java-api
      org.gradle.libraryelements         = jar (compatible with: classes+resources)
      org.gradle.category                = library

      Requested attributes not found in the selected variant:
         org.gradle.dependency.bundling     = external
         org.gradle.jvm.environment         = standard-jvm
         org.jetbrains.kotlin.platform.type = jvm
         org.gradle.jvm.version             = 13
   ]

org.apache.logging.log4j:log4j-slf4j-impl:2.15.0
\--- compileClasspath

It seems that Gradle just ignore constraint rules, though it definitely sees them. Tried with Gradle 6.9 and Gradle 7.2

splix · December 12, 2021, 9:57pm

Turns out the problem was because of the plugin id 'io.spring.dependency-management' version '1.0.6.RELEASE'. It just breaks all constraints