使用Gradle配置更新同一组中的2个依赖项。全部 [英] Update 2 dependencies in the same group with gradle configuration.all
本文介绍了使用Gradle配置更新同一组中的2个依赖项。全部的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
因为我们想(轻松地)解决所有的log4j/Logback漏洞,所以我们尝试在build.gradle.kts
configurations.all {
resolutionStrategy.eachDependency {
if (requested.group == "org.apache.logging.log4j" && requested.version!! < "2.16.0") {
useVersion("2.16.0")
because("To avoid RCE vulnerability.")
}
if (requested.group == "ch.qos.logback" && requested.name == "logback-classic" && requested.version!! < "1.2.8") {
useVersion("1.2.8")
because("To avoid RCE vulnerability.")
}
if (requested.group == "ch.qos.logback" && requested.name == "logback-core" && requested.version!! < "1.2.8") {
useVersion("1.2.8")
because("To avoid RCE vulnerability.")
}
}
}
但它只更改logback-core
而不更改logback-classic
(如果我删除logback-core
,则它适用于经典...
推荐答案
我现在感觉有点傻。
必须使用<=
版本,而不是<
比预期的效果好
configurations.all {
resolutionStrategy.eachDependency {
if (requested.group == "org.apache.logging.log4j" && requested.version!! <= "2.16.0") {
useVersion("2.16.0")
because("To avoid RCE vulnerability.")
}
if (requested.group == "ch.qos.logback" && requested.name == "logback-classic" && requested.version!! <= "1.2.8") {
useVersion("1.2.8")
because("To avoid RCE vulnerability.")
}
if (requested.group == "ch.qos.logback" && requested.name == "logback-core" && requested.version!! <= "1.2.8") {
useVersion("1.2.8")
because("To avoid RCE vulnerability.")
}
}
}
您甚至可以让它变得更简单:
configurations.all {
resolutionStrategy.eachDependency {
if (requested.group == "org.apache.logging.log4j" && requested.version!! <= "2.16.0") {
useVersion("2.16.0")
because("To avoid RCE vulnerability.")
}
if (requested.group == "ch.qos.logback" && requested.version!! <= "1.2.8") {
useVersion("1.2.8")
because("To avoid RCE vulnerability.")
}
}
}
这篇关于使用Gradle配置更新同一组中的2个依赖项。全部的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文