More updatable dependencies when using 6.0.3 instead of 6.0.2

[davidburstrom]

When using https://github.com/ben-manes/gradle-versions-plugin version 0.38.0 to look for updatable dependencies, I notice that when using Spotless 6.0.3 instead of 6.0.2 it will list a large number of new coordinates, such as

The following dependencies have later milestone versions:
 - com.diffplug.spotless:spotless-eclipse-base [3.4.2 -> 3.5.2]
     https://github.com/diffplug/spotless
 - com.diffplug.spotless:spotless-eclipse-groovy [4.1.0 -> 4.3.0]
     https://github.com/diffplug/spotless
 - org.eclipse.platform:org.eclipse.core.commands [3.9.800 -> 3.10.100]
     http://www.eclipse.org/platform
 - org.eclipse.platform:org.eclipse.core.contenttype [3.7.900 -> 3.8.100]
     http://www.eclipse.org/platform
 - org.eclipse.platform:org.eclipse.core.jobs [3.10.1100 -> 3.12.0]
     http://www.eclipse.org/platform
 - org.eclipse.platform:org.eclipse.core.resources [3.14.0 -> 3.16.0]
     http://www.eclipse.org/platform

etc.

It looks like something has changed that causes the plugin to pick up dependencies from the spotless configurations, which becomes noisy in the report.
With Spotless 6.0.2, the report was silent about those dependencies.

Gradle version 7.3.1
Spotless version 6.0.3

allprojects {
    afterEvaluate {
        apply(plugin = "com.diffplug.spotless")

        configure<SpotlessExtension> {
            groovyGradle {
                target("*.gradle")
                greclipse().configFile(rootProject.file("config/spotless/greclipse.properties"))
            }   

            kotlinGradle {
                target("*.gradle.kts")
                ktlint(ktlintVersion)
            }   
        }
    }
} 

[fabianlinz]

Same observation here: the gradle project dependencies (gradlew dependencies) now contain an entry for spotless with 6.0.3 that is not there with 6.0.2. (In our case OWASP dependency check pickt this up due to CVE-2021-41033.)

spotless-641085672 - [...]
+--- com.diffplug.spotless:spotless-eclipse-jdt:4.8.1
+--- com.diffplug.spotless:spotless-eclipse-base:3.5.2
+--- com.github.spotbugs:spotbugs-annotations:4.0.2
+--- com.google.code.findbugs:jsr305:3.0.2
+--- net.jcip:jcip-annotations:1.0
+--- org.eclipse.jdt:org.eclipse.jdt.core:3.27.0
+--- org.eclipse.platform:org.eclipse.core.commands:3.10.100
+--- org.eclipse.platform:org.eclipse.core.contenttype:3.8.0
+--- org.eclipse.platform:org.eclipse.core.filesystem:1.9.100
+--- org.eclipse.platform:org.eclipse.core.jobs:3.12.0
+--- org.eclipse.platform:org.eclipse.core.resources:3.15.100
+--- org.eclipse.platform:org.eclipse.core.runtime:3.23.0
+--- org.eclipse.platform:org.eclipse.equinox.app:1.6.0
+--- org.eclipse.platform:org.eclipse.equinox.common:3.15.0
+--- org.eclipse.platform:org.eclipse.equinox.preferences:3.9.0
+--- org.eclipse.platform:org.eclipse.equinox.registry:3.11.0
+--- org.eclipse.platform:org.eclipse.osgi:3.17.0
\--- org.eclipse.platform:org.eclipse.text:3.12.0

[nedtwigg]

Interesting! gradle/6.0.2...gradle/6.0.3

I think the root cause is probably 02e0364, which causes the dependencies to be resolved eagerly rather lazily.

In some sense, this is probably good, yeah? To have dependencies with CVE's show up in the report?

If spotless-641085672 was instead named spotless-greclipse, would this new behavior be okay / better?

[davidburstrom]

Good question... There's no obvious way to affect which versions get resolved, other than adding resolution strategies to some select configurations, and inherently it's an implementation detail of Spotless which those dependencies are, meaning that any extra resolution strategies will go stale with time. I suppose it's not the responsibility of Spotless to ensure there are no CVE's in its dependencies, though it certainly looks better if there aren't any.

[nedtwigg]

Should be fixed in 6.1.0, please reopen if the issue persists. See these docs for more details.

[davidburstrom]

As far as I can tell, it is fixed for my use-case.