在处理Gradle项目时,我发现它并不总是遵守声明的约束.一个简单的例子是spring-boot-starter-tomcat:3.1.3
Pull in tomcat-embed-core
,但它需要的版本是10.1.12,该版本当前打开了CVE2023-41080.正常情况下,我应该能够为当前没有任何打开的CVE的10.1.13设置约束.
问题是,Gradle并不总是满足这一要求.下面是一个简单的例子:
dependencies {
implementation('org.springframework.boot:spring-boot-starter-tomcat:3.1.3')
constraints {
// Bumping the version of Tomcat embedded as there are CVEs on 10.1.12
implementation('org.apache.tomcat.embed:tomcat-embed-websocket:10.1.13') {
because '...'
}
implementation('org.apache.tomcat.embed:tomcat-embed-core:10.1.13') {
because '...'
}
implementation('org.apache.tomcat.embed:tomcat-embed-el:10.1.13') {
because '...'
}
}
}
我的依赖关系树解析为:
compileClasspath - Compile classpath for source set 'main'.
+--- org.springframework.boot:spring-boot-starter-tomcat:3.1.3
| +--- jakarta.annotation:jakarta.annotation-api:2.1.1
| +--- org.apache.tomcat.embed:tomcat-embed-core:10.1.12
| +--- org.apache.tomcat.embed:tomcat-embed-el:10.1.12
| \--- org.apache.tomcat.embed:tomcat-embed-websocket:10.1.12
| \--- org.apache.tomcat.embed:tomcat-embed-core:10.1.12
+--- org.apache.tomcat.embed:tomcat-embed-core:10.1.13 -> 10.1.12 (c)
+--- org.apache.tomcat.embed:tomcat-embed-el:10.1.13 -> 10.1.12 (c)
\--- org.apache.tomcat.embed:tomcat-embed-websocket:10.1.13 -> 10.1.12 (c)
Gradle文档告诉我:
https://docs.gradle.org/current/userguide/dependency_constraints.html个
开发人员经常通过添加直接依赖项来错误地修复可传递的依赖项问题.为了避免这种情况,Gradle提供了依赖约束的概念.
但这是让Tomcat升级版本的唯一方法.在添加依赖约束时,我误解了什么?为什么Gradle不支持这些配置?