Skip to content

build: guard against duplicate classes using dependency analysis plugin #15341

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
sanjana2505006 wants to merge 1 commit into
base: 7.0.x
Choose a base branch
from
Draft

build: guard against duplicate classes using dependency analysis plugin #15341

sanjana2505006 wants to merge 1 commit into from

Conversation

@sanjana2505006
Copy link
Contributor

@sanjana2505006 sanjana2505006 commented Jan 24, 2026

This PR introduces the Dependency Analysis Gradle Plugin (DAGP) to the build system to identify and guard against duplicate classes. This addresses the security risks associated with "Maven-Hijack" type attacks and helps ensure deterministic runtime behavior by preventing multiple dependencies from providing the same fully qualified class names.

Key Changes:

  • Applied the com.autonomousapps.dependency-analysis plugin (v3.5.1) to the root project.
  • Enabled the plugin specifically for the :grails-core module to provide a targetted security guard for the main codebase.
  • Configured global issue severity to fail in the dependencyAnalysis block to ensure any detected duplicates break the build.

Verification: Ran ./gradlew :grails-core:projectHealth, which successfully caught an existing duplicate class conflict in the :grails-core module (between jcl-over-slf4j and spring-jcl). This confirms the guard is active and effective.

This PR fixes #15329

@sanjana2505006 sanjana2505006 mentioned this pull request Jan 24, 2026
Open
@jdaugherty
Copy link
Contributor

jdaugherty commented Jan 24, 2026

I appreciate the PR for this but the examples show this as a settings plugin. We also have 4 separate gradle projects that use composite builds to combine into one (technically forge) so this change is incomplete. We also need to spend time testing this.

Can you please hold off on implementing newly opened tickets in the future? Or at least check before proceeding? This is one of those tickets that needed more investigation. While that plugin is probably the right immediate solution, we haven't discussed this in the weekly yet.

@sanjana2505006
Copy link
Contributor Author

sanjana2505006 commented Jan 24, 2026

@jdaugherty Thank you for the context, I appreciate you explaining the broader setup and the concerns around the composite builds.
That makes sense, and I agree this needs more discussion and testing before moving forward. I didn’t fully factor in the impact across the other Gradle projects.
I’ll pause further work on this and wait for direction after it’s discussed in the weekly. Going forward, I’ll make sure to check in before proceeding on newly opened tickets that may need deeper investigation.

Thank you again for the guidance.

@jdaugherty
Copy link
Contributor

jdaugherty commented Jan 25, 2026

I am going to convert this review back to a draft since this isn't complete.

@jdaugherty jdaugherty marked this pull request as draft January 25, 2026 17:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Apache Grails
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Guard against duplicate classes when building grails-core

2 participants

@sanjana2505006 @jdaugherty