Constraints are not followed

[jolaf]

I have an Android/Kotlin/Java/Gradle project with some external dependencies.

Some of those external dependencies have not been updated for some time, so some of their dependencies have known vulnerabilities, correctly shown by dependencyCheckAnalyze.

I try to avoid these vulnerabilities by providing constraints on those transitive dependencies to use newer versions with no known vulnerabilities.

That works, I see that build uses newer versions of transitive dependencies.

However when I run dependencyCheckAnalyze again, it keeps warning me about vulnerabilities in old versions of transitive dependencies that are no longer user by the build due to constraints.

Is it a bug or feature? Or maybe I'm doing something wrong?

Note that some of the vulnerabilities are found in transitive dependencies of Gradle plugins I use, so I have to put constraints in the project root. However, moving the constraints to the subproject doesn't help either.

I use Windows 10, Java 17, AGP 8.9.1, KGP 2.1.20, KSP 2.1.20-2.0.0, Gradle 8.13, org.owasp.dependencycheck 12.1.1.

.\gradlew dependencyCheckAnalyze:

...
> Task :app:dependencyCheckAnalyze
Verifying dependencies for project app
Checking for updates and analyzing dependencies for vulnerabilities

> Task :dependencyCheckAnalyze
...
Verifying dependencies for project Project
Checking for updates and analyzing dependencies for vulnerabilities
Generating report for project Project
Found 6 vulnerabilities in project Project

One or more dependencies were identified with known vulnerabilities in Project:

ktlint-cli-reporter-checkstyle-1.0.1.jar (pkg:maven/com.pinterest.ktlint/ktlint-cli-reporter-checkstyle@1.0.1, cpe:2.3:a:checkstyle:checkstyle:1.0.1:*:*:*:*:*:*:*, cpe:2.3:a:ktlint_project:ktlint:1.0.1:*:*:*:*:*:*:*) : CVE-2019-10782, CVE-2019-9658
logback-classic-1.3.5.jar (pkg:maven/ch.qos.logback/logback-classic@1.3.5, cpe:2.3:a:qos:logback:1.3.5:*:*:*:*:*:*:*) : CVE-2023-6378
logback-core-1.3.5.jar (pkg:maven/ch.qos.logback/logback-core@1.3.5, cpe:2.3:a:qos:logback:1.3.5:*:*:*:*:*:*:*) : CVE-2023-6378, CVE-2024-12798, CVE-2024-12801

See the dependency-check report for more details.

Region [NODEAUDIT] : Not alive and dispose was called, filename: NODEAUDIT
Region [CENTRAL] : Not alive and dispose was called, filename: CENTRAL
Region [POM] : Not alive and dispose was called, filename: POM

> Task :app:dependencyCheckAnalyze
Generating report for project app
Found 49 vulnerabilities in project app

One or more dependencies were identified with known vulnerabilities in app:

grpc-api-1.57.2.jar (pkg:maven/io.grpc/grpc-api@1.57.2, cpe:2.3:a:grpc:grpc:1.57.2:*:*:*:*:*:*:*) : CVE-2023-44487
grpc-context-1.57.2.jar (pkg:maven/io.grpc/grpc-context@1.57.2, cpe:2.3:a:grpc:grpc:1.57.2:*:*:*:*:*:*:*) : CVE-2023-44487
grpc-core-1.57.2.jar (pkg:maven/io.grpc/grpc-core@1.57.2, cpe:2.3:a:grpc:grpc:1.57.2:*:*:*:*:*:*:*) : CVE-2023-44487
grpc-netty-1.57.2.jar (pkg:maven/io.grpc/grpc-netty@1.57.2, cpe:2.3:a:grpc:grpc:1.57.2:*:*:*:*:*:*:*) : CVE-2023-44487
grpc-protobuf-1.57.2.jar (pkg:maven/io.grpc/grpc-protobuf@1.57.2, cpe:2.3:a:grpc:grpc:1.57.2:*:*:*:*:*:*:*, cpe:2.3:a:protobuf:protobuf:1.57.2:*:*:*:*:*:*:*) : CVE-2023-44487
grpc-protobuf-lite-1.57.2.jar (pkg:maven/io.grpc/grpc-protobuf-lite@1.57.2, cpe:2.3:a:grpc:grpc:1.57.2:*:*:*:*:*:*:*, cpe:2.3:a:protobuf:protobuf:1.57.2:*:*:*:*:*:*:*) : CVE-2023-44487
grpc-services-1.57.2.jar (pkg:maven/io.grpc/grpc-services@1.57.2, cpe:2.3:a:grpc:grpc:1.57.2:*:*:*:*:*:*:*) : CVE-2023-44487
grpc-stub-1.57.2.jar (pkg:maven/io.grpc/grpc-stub@1.57.2, cpe:2.3:a:grpc:grpc:1.57.2:*:*:*:*:*:*:*) : CVE-2023-44487
kotlin-stdlib-1.5.30.jar (pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.5.30, cpe:2.3:a:jetbrains:kotlin:1.5.30:*:*:*:*:*:*:*) : CVE-2022-24329
kotlin-stdlib-common-1.5.30.jar (pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.5.30, cpe:2.3:a:jetbrains:kotlin:1.5.30:*:*:*:*:*:*:*) : CVE-2022-24329
kotlin-stdlib-jdk7-1.5.30.jar (pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk7@1.5.30, cpe:2.3:a:jetbrains:kotlin:1.5.30:*:*:*:*:*:*:*) : CVE-2022-24329
kotlin-stdlib-jdk8-1.5.30.jar (pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.5.30, cpe:2.3:a:jetbrains:kotlin:1.5.30:*:*:*:*:*:*:*) : CVE-2022-24329
netty-buffer-4.1.93.Final.jar (pkg:maven/io.netty/netty-buffer@4.1.93.Final, cpe:2.3:a:netty:netty:4.1.93:*:*:*:*:*:*:*) : CVE-2023-44487, CVE-2023-34462, CVE-2025-25193
netty-codec-4.1.93.Final.jar (pkg:maven/io.netty/netty-codec@4.1.93.Final, cpe:2.3:a:netty:netty:4.1.93:*:*:*:*:*:*:*) : CVE-2023-44487, CVE-2023-34462, CVE-2025-25193
netty-codec-http-4.1.93.Final.jar (pkg:maven/io.netty/netty-codec-http@4.1.93.Final, cpe:2.3:a:netty:netty:4.1.93:*:*:*:*:*:*:*) : CVE-2023-44487, CVE-2023-34462, CVE-2025-25193, CVE-2024-29025
netty-codec-http2-4.1.93.Final.jar (pkg:maven/io.netty/netty-codec-http2@4.1.93.Final, cpe:2.3:a:netty:netty:4.1.93:*:*:*:*:*:*:*) : CVE-2023-44487, CVE-2023-34462, CVE-2025-25193
netty-codec-socks-4.1.93.Final.jar (pkg:maven/io.netty/netty-codec-socks@4.1.93.Final, cpe:2.3:a:netty:netty:4.1.93:*:*:*:*:*:*:*) : CVE-2023-44487, CVE-2023-34462, CVE-2025-25193
netty-common-4.1.93.Final.jar (pkg:maven/io.netty/netty-common@4.1.93.Final, cpe:2.3:a:netty:netty:4.1.93:*:*:*:*:*:*:*) : CVE-2023-44487, CVE-2024-47535, CVE-2023-34462, CVE-2025-25193
netty-handler-4.1.93.Final.jar (pkg:maven/io.netty/netty-handler@4.1.93.Final, cpe:2.3:a:netty:netty:4.1.93:*:*:*:*:*:*:*) : CVE-2023-44487, CVE-2025-24970, CVE-2023-34462, CVE-2025-25193
netty-handler-proxy-4.1.93.Final.jar (pkg:maven/io.netty/netty-handler-proxy@4.1.93.Final, cpe:2.3:a:netty:netty:4.1.93:*:*:*:*:*:*:*) : CVE-2023-44487, CVE-2023-34462, CVE-2025-25193
netty-resolver-4.1.93.Final.jar (pkg:maven/io.netty/netty-resolver@4.1.93.Final, cpe:2.3:a:netty:netty:4.1.93:*:*:*:*:*:*:*) : CVE-2023-44487, CVE-2023-34462, CVE-2025-25193
netty-transport-4.1.93.Final.jar (pkg:maven/io.netty/netty-transport@4.1.93.Final, cpe:2.3:a:netty:netty:4.1.93:*:*:*:*:*:*:*) : CVE-2023-44487, CVE-2023-34462, CVE-2025-25193
netty-transport-native-unix-common-4.1.93.Final.jar (pkg:maven/io.netty/netty-transport-native-unix-common@4.1.93.Final, cpe:2.3:a:netty:netty:4.1.93:*:*:*:*:*:*:*) : CVE-2023-44487, CVE-2023-34462, CVE-2025-25193
protobuf-java-3.24.4.jar (pkg:maven/com.google.protobuf/protobuf-java@3.24.4, cpe:2.3:a:google:protobuf-java:3.24.4:*:*:*:*:*:*:*, cpe:2.3:a:protobuf:protobuf:3.24.4:*:*:*:*:*:*:*) : CVE-2024-7254
...

/settings.gradle.kts:

rootProject.name = "Project"

include(":app")

pluginManagement {
    repositories {
        google()
        gradlePluginPortal()
    }
}

plugins {
    id("com.android.application") version "8.9.2" apply false        // These three should be here for `build-health` plugin to work:
    id("org.jetbrains.kotlin.android") version "2.1.20" apply false  // https://github.com/autonomousapps/dependency-analysis-gradle-plugin/wiki/Adding-to-your-project
    id("org.jetbrains.kotlin.jvm") version "2.1.20" apply false      //

    id("com.autonomousapps.build-health") version "2.17.0"  // Provides advice for managing dependencies and other applied plugins
    id("com.gradle.develocity") version "4.0.1"  // Publishes build scan to https://scans.gradle.com
}

buildscript {
    configurations.configureEach {
        resolutionStrategy {
            // Workaround for `org.owasp.dependencycheck` plugin: https://github.com/dependency-check/DependencyCheck/issues/7405
            force("org.apache.commons:commons-compress:1.27.1")
        }
    }
}

@Suppress("UnstableApiUsage")
dependencyResolutionManagement {
    repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
    repositories {
        google()
        mavenCentral()
        maven("https://jitpack.io") { name = "JitPack" }
    }
}

develocity {  // `com.gradle.develocity` plugin
    projectId = rootProject.name

    buildScan {
        // Allows connecting to https://scans.gradle.com without asking to agree to the terms of service each time
        termsOfUseUrl = "https://gradle.com/help/legal-terms-of-use"
        termsOfUseAgree = "yes"

        publishing.onlyIf {  // Publish only when building in CI
            System.getenv("CI_JOB_STAGE")?.lowercase() == "build"
        }
    }
}

/buildSrc/build.gradle.kts:

dependencies {
    constraints {
        // For `org.owasp.dependencycheck` plugin
        add("api", "com.fasterxml.jackson:jackson-bom:2.19.0-rc2")
        add("api", "org.apache.commons:commons-lang3:3.17.0")
        add("api", "org.apache.commons:commons-text:1.13.1")
    }
}

/build.gradle.kts:

import org.jlleitschuh.gradle.ktlint.reporter.ReporterType

plugins {
    id("java-platform")
    id("com.google.devtools.ksp") version "2.1.20-2.0.0" apply false
    id("org.jlleitschuh.gradle.ktlint") version "12.2.0"
    id("org.owasp.dependencycheck") version "12.1.1"  // Checks dependencies for vulnerabilities
}

dependencies {
    constraints {
        // Transitive dependencies with vulnerabilities forced to latest stable versions
        api("ch.qos.logback:logback-classic:1.5.18")
        api("ch.qos.logback:logback-core:1.5.18")
        api("com.google.protobuf:protobuf-java:4.30.2")
        api("com.pinterest.ktlint:ktlint-cli-reporter-checkstyle:1.5.0")
        api("io.grpc:grpc-api:1.72.0")
        api("io.grpc:grpc-context:1.72.0")
        api("io.grpc:grpc-core:1.72.0")
        api("io.grpc:grpc-netty:1.72.0")
        api("io.grpc:grpc-protobuf:1.72.0")
        api("io.grpc:grpc-protobuf-lite:1.72.0")
        api("io.grpc:grpc-services:1.72.0")
        api("io.grpc:grpc-stub:1.72.0")
        api("io.netty:netty-buffer:4.2.0.Final")
        api("io.netty:netty-codec:4.2.0.Final")
        api("io.netty:netty-codec-http:4.2.0.Final")
        api("io.netty:netty-codec-http2:4.2.0.Final")
        api("io.netty:netty-codec-socks:4.2.0.Final")
        api("io.netty:netty-common:4.2.0.Final")
        api("io.netty:netty-handler:4.2.0.Final")
        api("io.netty:netty-handler-proxy:4.2.0.Final")
        api("io.netty:netty-resolver:4.2.0.Final")
        api("io.netty:netty-transport:4.2.0.Final")
        api("io.netty:netty-transport-native-unix-common:4.2.0.Final")
        api("org.jetbrains.kotlin:kotlin-stdlib:2.1.20")
        api("org.jetbrains.kotlin:kotlin-stdlib-common:2.1.20")
        api("org.jetbrains.kotlin:kotlin-stdlib-jdk7:2.1.20")
        api("org.jetbrains.kotlin:kotlin-stdlib-jdk8:2.1.20")
    }
}

ktlint {
    android = true
    debug = true
    enableExperimentalRules = true
    ignoreFailures = true
    relative = true
    verbose = true

    outputToConsole = true
    coloredOutput = true
    outputColorName = "RED"

    reporters {
        reporter(ReporterType.CHECKSTYLE)
        reporter(ReporterType.HTML)
        reporter(ReporterType.JSON)
        reporter(ReporterType.PLAIN)
        reporter(ReporterType.PLAIN_GROUP_BY_FILE)
        reporter(ReporterType.SARIF)
    }
}

dependencyAnalysis {  // `com.autonomousapps.build-health` plugin
    structure {
        ignoreKtx(true)
    }
}

dependencyCheck {  // `org.owasp.dependencycheck` plugin
    format = "ALL"
    outputDirectory = "$rootDir/build/reports/dependency-check"
    failOnError = true

    nvd {
        apiKey = "***MASKED***OUT***"  // Obtained from https://nvd.nist.gov/developers/request-an-api-key
    }
}

/app/build.gradle.kts:

plugins {
    id("com.android.application")
    id("com.google.devtools.ksp")
    id("org.jetbrains.kotlin.android")
    id("de.mannodermaus.android-junit5") version "1.12.0.0"  // JUnit5 support for tests
    id("org.owasp.dependencycheck")
}

if (file("../signing.gradle.kts").exists()) {
    apply("../signing.gradle.kts")
}

kotlin {
    jvmToolchain(17)
}

android {
    namespace = "com.project"

    compileSdk = 36  // 36 = BAKLAVA (Android 16)
    buildToolsVersion = "36.0.0"

    defaultConfig {
        applicationId = namespace

        minSdk = 24  // 24 = N (Android 7 Nougat)
        targetSdk = 36  // 36 = BAKLAVA (Android 16)
        val versCode: String by project  // From gradle.properties
        val version: String by project  // From gradle.properties
        versionCode = versCode.toInt()
        versionName = version
        testInstrumentationRunner = "androidx.test.runner.AndroidJUnitRunner"
    }

    buildFeatures {
        viewBinding = true
        buildConfig = true
    }

    compileOptions {
        sourceCompatibility = JavaVersion.VERSION_17
        targetCompatibility = JavaVersion.VERSION_17

        isCoreLibraryDesugaringEnabled = true
    }

    kotlinOptions {
        jvmTarget = JavaVersion.VERSION_17.toString()
    }

    externalNativeBuild {
        cmake {
            version = "3.31.6+"
            path("src/main/CMakeLists.txt")
        }
    }

    ndkVersion = "28.1.13356709"
}

val daggerVersion = "2.56.2"
val lifecycleVersion = "2.8.7"
val splittiesVersion = "3.0.0"

dependencies {
    // Java
    implementation("javax.inject:javax.inject:1")

    // Kotlin
    implementation("org.jetbrains.kotlin:kotlin-stdlib:2.1.20")
    implementation("org.jetbrains.kotlinx:kotlinx-coroutines-core:1.10.2")
    runtimeOnly("org.jetbrains.kotlinx:kotlinx-coroutines-android:1.10.2")

    // Android
    implementation("androidx.activity:activity-ktx:1.10.1")
    implementation("androidx.annotation:annotation:1.9.1")
    implementation("androidx.appcompat:appcompat:1.7.0")
    implementation("androidx.biometric:biometric:1.1.0")
    implementation("androidx.constraintlayout:constraintlayout:2.2.1")
    implementation("androidx.coordinatorlayout:coordinatorlayout:1.3.0")
    implementation("androidx.core:core-ktx:1.16.0")
    implementation("androidx.core:core-splashscreen:1.0.1")
    implementation("androidx.fragment:fragment-ktx:1.8.6")
    implementation("androidx.recyclerview:recyclerview:1.4.0")
    implementation("androidx.viewpager2:viewpager2:1.1.0")
    coreLibraryDesugaring("com.android.tools:desugar_jdk_libs:2.1.5")
    implementation("com.google.android.gms:play-services-tasks:18.3.0")
    implementation("com.google.android.material:material:1.12.0")
    implementation("com.google.android.play:app-update:2.1.0")
    //implementation("com.google.android.play:app-update-ktx:2.1.0")

    // Lifecycle
    implementation("androidx.lifecycle:lifecycle-common:$lifecycleVersion")
    implementation("androidx.lifecycle:lifecycle-livedata-core-ktx:$lifecycleVersion")
    implementation("androidx.lifecycle:lifecycle-viewmodel-ktx:$lifecycleVersion")  // It should be like this, do not remove `-ktx`

    // Dagger
    implementation("com.google.dagger:dagger:$daggerVersion")
    annotationProcessor("com.google.dagger:dagger-compiler:$daggerVersion")
    ksp("com.google.dagger:dagger-compiler:$daggerVersion")

    // Splitties
    implementation("com.louiscad.splitties:splitties-checkedlazy:$splittiesVersion")
    implementation("com.louiscad.splitties:splitties-snackbar:$splittiesVersion")
    implementation("com.louiscad.splitties:splitties-resources:$splittiesVersion")
    implementation("com.louiscad.splitties:splitties-systemservices:$splittiesVersion")
    implementation("com.louiscad.splitties:splitties-views:$splittiesVersion")
    implementation("com.louiscad.splitties:splitties-views-dsl:$splittiesVersion")

    // QR code scanner
    implementation("com.google.zxing:core:3.5.3")
    implementation("com.journeyapps:zxing-android-embedded:4.3.0")

    // Other third-party libraries
    implementation("com.airbnb.android:lottie:6.6.6")
    implementation("com.github.artjimlop:altex-image-downloader:f782f23d")
    implementation("com.github.Omega-R:OmegaCenterIconButton:0.0.6@aar")
    implementation("com.github.terrakok:cicerone:7.1")
    implementation("dev.chrisbanes.insetter:insetter:0.6.1")
    implementation("me.saket:better-link-movement-method:2.2.0")

    // Additional lint checks
    lintChecks("dev.saurabharora.lint.checks:dark-theme-lint:2.0.0")

    // Tests
    androidTestImplementation("androidx.test:monitor:1.7.2")
    androidTestImplementation("androidx.test:runner:1.6.2")

    // JUnit5
    testImplementation(platform("org.junit:junit-bom:5.12.2"))
    androidTestImplementation("org.junit.jupiter:junit-jupiter-api:5.12.2")
    testRuntimeOnly("org.junit.jupiter:junit-jupiter-engine:5.12.2")

    // Espresso
    androidTestImplementation("androidx.test.espresso:espresso-core:3.6.1")
    //noinspection NewerVersionAvailable  // `espresso` 3.6.1 requires hamcrest 1.3
    androidTestImplementation("org.hamcrest:hamcrest-core:1.3!!")
    //noinspection NewerVersionAvailable  // `espresso` 3.6.1 requires hamcrest 1.3
    androidTestImplementation("org.hamcrest:hamcrest-library:1.3!!")
}

This is how I check that constraints actually work:

.\gradlew reason --id org.jetbrains.kotlin:kotlin-stdlib-common:1.5.30:

...
> Task :app:reason FAILED

[Incubating] Problems report is available at: file:///.../build/reports/problems/problems-report.html

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':app:reason'.
> A failure occurred while executing com.autonomousapps.tasks.ReasonTask$ExplainDependencyAdviceAction
   > Could not create an instance of type com.autonomousapps.tasks.ReasonTask$ExplainDependencyAdviceAction.
      > There is no dependency with coordinates 'org.jetbrains.kotlin:kotlin-stdlib-common:1.5.30' in this project.
...

.\gradlew reason --id org.jetbrains.kotlin:kotlin-stdlib-common:2.1.20:

...
> Task :app:reason

------------------------------------------------------------
You asked about the dependency 'org.jetbrains.kotlin:kotlin-stdlib-common:2.1.20'.
There is no advice regarding this dependency.
------------------------------------------------------------

Shortest path from :app to org.jetbrains.kotlin:kotlin-stdlib-common:2.1.20 for releaseCompileClasspath:
:app
\--- com.louiscad.splitties:splitties-views-dsl:3.0.0
      \--- com.louiscad.splitties:splitties-views-dsl-android:3.0.0
            \--- com.louiscad.splitties:splitties-experimental:3.0.0
                  \--- com.louiscad.splitties:splitties-experimental-jvm:3.0.0
                        \--- org.jetbrains.kotlin:kotlin-stdlib-common:2.1.20

...

Source: release, main
---------------------
(no usages)
...

[jeremylong]

You appear to be applying constraints to the dependencies as opposed to the build environment?

[jolaf]

I'm not sure, I don't know Gradle that well.
Am I doing it wrong?
Should I provide settings.gradle.kts as well?

The dependencies of the project itself are defined in the subproject build.gradle.kts.

[jeremylong]

I think there are a few ways to make this happen. One would be to use buildSrc/build.gradle as shown in the documentation: https://github.com/dependency-check/dependency-check-gradle?tab=readme-ov-file#gradle-build-environment

[jolaf]

Ok, I've moved plugin dependencies to /buildSrc/build.gradle.kts per your suggestion.
But it didn't change much.
I've updated the issue accordingly.
What else should I do?

[jeremylong]

Any chance you can provide a sample build.gradle and settings.gradle?

[jolaf]

Any chance you can provide a sample build.gradle and settings.gradle?

Yep, I've added /settings.gradle.kts and /app/build.gradle.kts to the issue description.

[chadlwilson]

Not sure if this is still relevant, but will probably need a self-contained example to replicate this. I tried to assemble something from the above, but it's missing gradle.properties and requires an Android installation etc etc so it's all getting a bit hard.

Often with Android the above type of issue comes from one of the many different custom Gradle configurations that the android plugin adds to your project which ODC will try to scan by default. The HTML report will show you which Gradle configurations these dependencies are on that are leading to vulnerabilities being discovered - but the text output above will not. The reason task is a 3rd party task, and I don't know its limitations.

Anyway, in the ODC HTML report, you want to look for the project/scope bit, and probably need to

• use that to ./gradlew :project:dependencies --configuration whatEverConfiguration to see where it's coming from
• decide based on the configuration to skipConfigurations or scanConfigurations = ['releaseCompileClasspath'] (on its own) if all you really care about is your released application.
• Otherwise, your constraints will need to be applied to the configurations which the vulns are coming from. When you define an api constraint, for example, that may not affect dependencies on the compileOnlyApi configuration, for example, nor some of the special android configurations and variants it defines