https://gradle.com/ logo
Join Slack
Powered by
This message was deleted.
# community-support
s
This message was deleted.
gradle-errors.txt
l
In case it matters, this is with Gradle 8.1.1
j
IIRC, you need to give Gradle some valid version to resolve to. It can't just infer what next version to use. Trust me, I wish it could.
So, you can't just provide a reject, you also need to provide a require
c
You want something like the below; simply rejecting invalid versions won’t do it.
Copy code
classpath("org.apache.logging.log4j:log4j-core") {
                version {
                    strictly("[2.17.2, 3[")
                    prefer("2.17.2")
                }
                because("CVE-2021-44228: Log4j vulnerable to remote code execution")
            }
j
Sorry, digging up memory lane here ^^
c
yes, two dimensions here: actually constraining to expected versions, separately from how dependabot ‘guesses’ at what versions are actually in use.
j
Yes. But fixing the constraint problem, for this exact use case, with Gradle was one of the things I wanted to fix while I was at Gradle. But I'm not there anymore
l
I thought the dependencies of my dependencies were effectively "requires". For example, I believe 
com.expediagroup:graphql-kotlin-server:6.5.3
(transitively) depends on 
com.graphql-java:graphql-java:20.3
, which I thought was the same as requiring 20.3 or greater.
c
no. it’s a suggestion at best. through constraints, conflict resolution, other transitive dependencies, metadata rules, etc Gradle will pick a version to use, which may differ from the starting point.
j
However, the set of "valid" versions that can actually be picked from, IIRC, will only come from the pool of versions that have been explicitly declared as being present by either a direct dependency, or a transitive. It won't look outside that set
c
or a constraint that specifies a version range / prefers.
j
@Louis Jacomet or @Daz DeBoer would be good resources here
or a constraint that specifies a version range / prefers.
I don't know if I ever got this to work. But it may be possible
c
This works:
Copy code
version {
                    strictly("[2.17.2, 3[")
                    prefer("2.17.2")
                }
in fact, it was what Gradle posted as a recommended solution for the Log4JShell vulnerability a ways back.
j
Does it? I thought it had to be a 
require
to work properly. Glad to see that 
prefer
is an option
c
the strictly bounds the range, within that prefer selects a version (well, as a starting point - if other deps say used 2.17.3 that would override)
l
Does "prefer" say to not add the dependency if nothing else is asking for it?
c
the constraint won’t kick in if nothing is using those coordinates.
The original post from Gradle re: Log4JShell.
the same principle applies for any need to bound the version range of a dependency - in this case >= 2.17.2 < 3
The docs on Gradle version ranges.
l
Ok, I've changed my constraints to:
Copy code
constraints {
    api("com.graphql-java:graphql-java") {
        version {
            strictly("[20.4,)")
            prefer("20.4")
        }
        because("CVE-2023-2976")
    }
}
and this seems to work!
Thank you both!
👍 1
j
I should probably go update that proposal to use the same strategy as the Log4Shell solution
👍 1
2 Views
Open in Slack
PreviousNext
Powered by