how to exclude gradle dependencies

Question

I currently have a project that I have performed an aqua scan on, and it identified the jackson-databind-2.9.8.jar I'm currently using as a critical vulnerability, and has recommended me to replace with version 2.10. To update this, while ensuring all other dependencies/code works fine, I've tried the following code in my build.gradle file, where group_name:microservice-event:0.2.+ shows up on the list of gradle dependencies and apparently brings in the 2.9.8 jar that is causing problems:

    implementation 'com.fasterxml.jackson.core:jackson-databind:2.10'

    implementation('*group_name*:microservice-event:0.2.+') {
        exclude group: 'com.fasterxml.jackson.core', module: 'jackson-databind'
    }

I've also removed the implementation '*group_name*:microservice-event:0.2.+' line I previously had in my build.gradle file.

However, now the project fails to build and I have no idea why. Would anyone know of how to write code in the build.gradle file to successfully exclude old jars/dependencies, while allowing for newer jars (as I've tried to do with the line implementation 'com.fasterxml.jackson.core:jackson-databind:2.10'). Note that I do not want to update the spring boot version.

and it fails with what error? ALso I'm not sure if jackson 2.9 and 2.10 are actually compatible. So it could be that you still need to stick with 2.9 due to incompatibilities. — M. Deinum, Jun 09 '20 at 06:54

score 5 · Accepted Answer · answered Jun 09 '20 at 08:14

When Gradle encounters two different versions of the same dependency, it will perform a conflict resolution. It defaults to choosing the highest version number.

However, because many libraries like Jackson consists of a number of individual modules like jackson-databind and jackson-core, you may end up in a situation where there is a mismatch between the different versions.

To align them, you can use the Jackson BOM and Gradle's platform dependency mechanism. It looks like this (choose only one of the depencendies below):

dependencies {
  // Enforce the specified version
  implementation(enforcedPlatform("com.fasterxml.jackson:jackson-bom:2.10.4"))

  // Align all modules to the same version, but allow upgrade to a higher version
  implementation(platform("com.fasterxml.jackson:jackson-bom:2.10.4"))
}

You don't need to exclude anything from your other dependencies.

If you encounter problems with the use of Jackson after upgrading, you should have a look at the release notes for 2.10 and check if you might be hit by any of the compatibility changes. Of cause, if the problem is in a third-party library, it might be more difficult to fix. But you may try the latest version in the 2.9 line (which is 2.9.10 at this time) and see if the vulnerability is fixed here.

For other users, I want to add that if you are using lets say jackson-databind 2.13.2.1 and considering that other jackson dependencies like jackson-jdk8, jackson-jsr,etc are not released as 2.13.2.1 but as 2.13.2 or any other version, then you can specify to use jackson-databind as a separate dependency of 2.13.2.1 version and other dependencies of the platform version type as in this answer. This becomes very handy when we are changing the jackson version used by Spring boot. Thanks for this answer. I could solve the errors I got only by updating ext['jackson.version']='2.13.2.1' in build. — KnockingHeads, Mar 28 '22 at 07:43

how to exclude gradle dependencies

1 Answers1

Linked