[Gradle] Flaky dependency version detection for sub-projects

[ajmalab]

Hi, In a multi-module gradle project, if ONE of the sub-projects don't have version defined, the tool inaccurately attributes that to at least one of the other sub-projects too. Example repo with sbom: https://github.com/ajmalab/dependency-diff-check

In the linked project, only the sub-project dependency-diff-check-service is missing a version. But if you look at the sbom, the other sub-project dependency-diff-check-common-core is also assigned the version latest despite having a version explicitly specified.

This is not a problem when versions are specified for ALL sub-projects.

[ajmalab]

Update on this issue, the versions are most likely being mixed up. Found instances where one sub-project had the version of another sub-project in the same project. Also, some times the sub-projects are suffixed with @project instead of the version even when the version is specified.

[prabhu]

@ajmalab Would you like to join discord since it would be easier to share test cases and results? https://discord.gg/pF4BYWEJcS

[ajmalab]

Oh forgot and abandoned that when the link didn't work last time, will try again.

[prabhu]

@ajmalab if you could share the output of gradle properties command, we can improve the version detection. To me the sbom looks correct for this particular project so not sure if it is related to the version of java used?

[ajmalab]

@prabhu if you look at this line, you can see that the version is captured as latest for dependency-diff-check-common-core. However, here, here and here you can see that the version is actually declared and captured.