I am trying to use version 4.1.100.Final
for the netty-codec-http
library as the OWASP dependency checker marks the netty*
dependancies as HIGH
. It is pulled out by amazon s3
dependency. Here is my build.gradle
file. I am using gradle 8.3
and jdk11
.
plugins {
id 'java'
id 'org.springframework.boot' version '2.7.16'
id 'io.spring.dependency-management' version '1.0.15.RELEASE'
id "org.owasp.dependencycheck" version "8.2.1"
}
group = 'com.test'
version = '0.0.1-SNAPSHOT'
java {
sourceCompatibility = '11'
}
repositories {
mavenCentral()
}
configurations.all {
resolutionStrategy {
force 'io.netty:netty-codec-http:4.1.100.Final'
}
}
dependencies {
implementation 'org.springframework.boot:spring-boot-starter'
testImplementation 'org.springframework.boot:spring-boot-starter-test'
implementation platform("software.amazon.awssdk:bom:2.21.0")
implementation "software.amazon.awssdk:sdk-core"
implementation "software.amazon.awssdk:s3"
implementation "software.amazon.awssdk:route53"
implementation "software.amazon.awssdk:route53resolver"
}
tasks.named('test') {
useJUnitPlatform()
}
I have followed this link to setup AWS on gradle.
The dependency checker still shows the 4.1.97.Final
version and marks it as HIGH
. I am using the following command to generate the OWASP report:
./gradlew dependencyCheckAnalyze
As a start you should stop using the Spring dependency management plugin. It is an obsolete relict from times when Gradle did not have built-in BOM support and even its maintainer recommends not to use it anymore. By now it does more harm than good and does not really have any added value. You should instead just use the built-in BOM support using platform(...)
.
This will most probably also resolve your issue already, as that plugin also does a similar forcing like you try to do and obviously overwrites your try to force the version.
But actually, you should also not do this big-hammer forcing of a version, but instead set a strict version constraint like with
dependencies {
constraints {
implementation("io.netty:netty-codec-http:4.1.100.Final!!")
}
}