Problem
Snyk reports an incorrect dependency or dependency version when you are scanning a Gradle project with the CLI.
Discussion
When you use the Snyk CLI, it obtains the list of dependencies from the Gradle wrapper locally on the system where the CLI is being run. You can emulate what Snyk does to fetch these dependencies and compare them to the Snyk output by running:
gradle dependencies -q
or gradlew dependencies -q
Snyk takes these results and creates a configuration called snykMergedDepsConf
that gathers all of the dependencies from all configurations.
From that output Snyk creates the dependency tree (depTree) to scan for vulnerabilities.
Resolution
It is possible that Gradle itself is reporting the wrong dependency tree or dependency version. If this is the case, troubleshoot your Gradle application using the commands in the discussion to ensure that the version you expect is reported.
If you're overriding or forcing a dependency version, you may be doing this in a way that is no longer supported by Gradle. For example, from the Gradle docs:
"Forcing dependencies via ExternalDependency.setForce(boolean) is deprecated and no longer recommended; forced dependencies suffer an ordering issue which can be hard to diagnose and will not work well together with other rich version constraints. You should prefer strict versions instead. If you are authoring and publishing a library, you also need to be aware that force is not published."
To see if this helps, it might be worth trying to use strict versions as suggested in Overriding transitive dependency versions in the Gradle docs.
If you're still certain that this is a Snyk issue, submit a request to support and include the output of the following command in your support ticket:
gradle dependencies -q
or gradlew dependencies -q
Where possible, share a copy of your build.gradle
to facilitate reproduction and troubleshooting.