I'm using org.jlleitschuh.gradle.ktlint plugin to kotlin formatting for my multi module project. The plugin uses com.pinterest.ktlint 0.45.2 which has a dependency on ch.qos.logback:logback-classic:1.2.9. This dependency has a CVE vulnerability so I'm trying to use the version which hasn't e.g. 1.4.14 but the gradle gradlew dependencyCheckAggregate still complains and keep finding the version 1.2.12.
This is my how my root build.gradle looks like
plugins {
id("org.owasp.dependencycheck") version "8.1.2"
id("org.jlleitschuh.gradle.ktlint") version "11.0.0"
....
}
allprojects {
apply(plugin = "org.jlleitschuh.gradle.ktlint")
repositories {
...
}
}
ktlint {
// Force a new dependency to use new version of logback
configurations.all {
this.resolutionStrategy.eachDependency {
if (this.requested.group == "ch.qos.logback") {
this.useVersion("1.4.14")
}
}
}
...
}
}
When I run gradlew dependencies I see the following out meaning it's indeed getting the new version:
+--- ch.qos.logback:logback-classic:1.2.9 -> 1.4.14
| +--- ch.qos.logback:logback-core:1.4.14
But when I execute dependencyCheckAggregate, I still get:
logback-classic-1.2.12.jar (pkg:maven/ch.qos.logback/[email protected], cpe:2.3:a:qos:logback:1.2.12:*:*:*:*:*:*:*) : CVE-2023-6378
logback-core-1.2.12.jar (pkg:maven/ch.qos.logback/[email protected], cpe:2.3:a:qos:logback:1.2.12:*:*:*:*:*:*:*) : CVE-2023-6378
I'm not sure what should I do now. I already tried putting the resolution strategy at different places in the gradle. I even use force instead of eachDependency check and all results in the same output. Could someone help me out here?
EDIT: Strangely, it only works when I apply it to all the sub projects individually as well. It just doesn't work if I put it in just the root gradle.build.kts. So now the question is how to do it just once or I have to repeat it in all places?