Prohibit unwanted dependencies in all modules not just starters

Closes gh-28658

Author: wilkinsona

buildSrc/src/main/java/org/springframework/boot/build/JavaConventions.java

@@ -48,9 +48,11 @@
 import org.gradle.testretry.TestRetryPlugin;
 import org.gradle.testretry.TestRetryTaskExtension;
 
+import org.springframework.boot.build.classpath.CheckClasspathForProhibitedDependencies;
 import org.springframework.boot.build.optional.OptionalDependenciesPlugin;
 import org.springframework.boot.build.testing.TestFailuresPlugin;
 import org.springframework.boot.build.toolchain.ToolchainPlugin;
+import org.springframework.util.StringUtils;
 
 /**
  * Conventions that are applied in the presence of the {@link JavaBasePlugin}. When the
@@ -112,6 +114,7 @@ void apply(Project project) {
 			configureJarManifestConventions(project);
 			configureDependencyManagement(project);
 			configureToolchain(project);
+			configureProhibitedDependencyChecks(project);
 		});
 	}
 
@@ -239,4 +242,26 @@ private void configureToolchain(Project project) {
 		project.getPlugins().apply(ToolchainPlugin.class);
 	}
 
+	private void configureProhibitedDependencyChecks(Project project) {
+		SourceSetContainer sourceSets = project.getExtensions().getByType(SourceSetContainer.class);
+		sourceSets.all((sourceSet) -> createProhibitedDependenciesChecks(project,
+				sourceSet.getCompileClasspathConfigurationName(), sourceSet.getRuntimeClasspathConfigurationName()));
+	}
+
+	private void createProhibitedDependenciesChecks(Project project, String... configurationNames) {
+		ConfigurationContainer configurations = project.getConfigurations();
+		for (String configurationName : configurationNames) {
+			Configuration configuration = configurations.getByName(configurationName);
+			createProhibitedDependenciesCheck(configuration, project);
+		}
+	}
+
+	private void createProhibitedDependenciesCheck(Configuration classpath, Project project) {
+		CheckClasspathForProhibitedDependencies checkClasspathForProhibitedDependencies = project.getTasks().create(
+				"check" + StringUtils.capitalize(classpath.getName() + "ForProhibitedDependencies"),
+				CheckClasspathForProhibitedDependencies.class);
+		checkClasspathForProhibitedDependencies.setClasspath(classpath);
+		project.getTasks().getByName(JavaBasePlugin.CHECK_TASK_NAME).dependsOn(checkClasspathForProhibitedDependencies);
+	}
+
 }

buildSrc/src/main/java/org/springframework/boot/build/classpath/CheckClasspathForProhibitedDependencies.java

@@ -70,6 +70,12 @@ private boolean prohibited(ModuleVersionIdentifier id) {
 		if (group.equals("javax.batch")) {
 			return false;
 		}
+		if (group.equals("javax.cache")) {
+			return false;
+		}
+		if (group.equals("javax.money")) {
+			return false;
+		}
 		if (group.startsWith("javax")) {
 			return true;
 		}

buildSrc/src/main/java/org/springframework/boot/build/starters/StarterPlugin.java

@@ -33,7 +33,6 @@
 import org.springframework.boot.build.ConventionsPlugin;
 import org.springframework.boot.build.DeployedPlugin;
 import org.springframework.boot.build.classpath.CheckClasspathForConflicts;
-import org.springframework.boot.build.classpath.CheckClasspathForProhibitedDependencies;
 import org.springframework.boot.build.classpath.CheckClasspathForUnnecessaryExclusions;
 import org.springframework.util.StringUtils;
 
@@ -62,7 +61,6 @@ public void apply(Project project) {
 		project.getArtifacts().add("starterMetadata", project.provider(starterMetadata::getDestination),
 				(artifact) -> artifact.builtBy(starterMetadata));
 		createClasspathConflictsCheck(runtimeClasspath, project);
-		createProhibitedDependenciesCheck(runtimeClasspath, project);
 		createUnnecessaryExclusionsCheck(runtimeClasspath, project);
 		configureJarManifest(project);
 	}
@@ -75,14 +73,6 @@ private void createClasspathConflictsCheck(Configuration classpath, Project proj
 		project.getTasks().getByName(JavaBasePlugin.CHECK_TASK_NAME).dependsOn(checkClasspathForConflicts);
 	}
 
-	private void createProhibitedDependenciesCheck(Configuration classpath, Project project) {
-		CheckClasspathForProhibitedDependencies checkClasspathForProhibitedDependencies = project.getTasks().create(
-				"check" + StringUtils.capitalize(classpath.getName() + "ForProhibitedDependencies"),
-				CheckClasspathForProhibitedDependencies.class);
-		checkClasspathForProhibitedDependencies.setClasspath(classpath);
-		project.getTasks().getByName(JavaBasePlugin.CHECK_TASK_NAME).dependsOn(checkClasspathForProhibitedDependencies);
-	}
-
 	private void createUnnecessaryExclusionsCheck(Configuration classpath, Project project) {
 		CheckClasspathForUnnecessaryExclusions checkClasspathForUnnecessaryExclusions = project.getTasks().create(
 				"check" + StringUtils.capitalize(classpath.getName() + "ForUnnecessaryExclusions"),

buildSrc/src/test/java/org/springframework/boot/build/ConventionsPluginTests.java

@@ -105,6 +105,12 @@ void sourceJarIsBuilt() throws IOException {
 			out.println("version = '1.2.3'");
 			out.println("sourceCompatibility = '1.8'");
 			out.println("description 'Test'");
+			out.println("repositories {");
+			out.println("    mavenCentral()");
+			out.println("}");
+			out.println("dependencies {");
+			out.println("    implementation(platform(\"org.junit:junit-bom:5.6.0\"))");
+			out.println("}");
 		}
 		runGradle("build");
 		File file = new File(this.projectDir, "/build/libs/" + this.projectDir.getName() + "-1.2.3-sources.jar");
@@ -134,6 +140,12 @@ void javadocJarIsBuilt() throws IOException {
 			out.println("version = '1.2.3'");
 			out.println("sourceCompatibility = '1.8'");
 			out.println("description 'Test'");
+			out.println("repositories {");
+			out.println("    mavenCentral()");
+			out.println("}");
+			out.println("dependencies {");
+			out.println("    implementation(platform(\"org.junit:junit-bom:5.6.0\"))");
+			out.println("}");
 		}
 		runGradle("build");
 		File file = new File(this.projectDir, "/build/libs/" + this.projectDir.getName() + "-1.2.3-javadoc.jar");

spring-boot-project/spring-boot-actuator-autoconfigure/build.gradle

@@ -26,7 +26,9 @@ dependencies {
 	implementation("com.fasterxml.jackson.datatype:jackson-datatype-jsr310")
 
 	optional("ch.qos.logback:logback-classic")
-	optional("com.datastax.oss:java-driver-core")
+	optional("com.datastax.oss:java-driver-core") {
+		exclude group: "org.slf4j", module: "jcl-over-slf4j"
+	}
 	optional("com.fasterxml.jackson.dataformat:jackson-dataformat-xml")
 	optional("com.github.ben-manes.caffeine:caffeine")
 	optional("com.hazelcast:hazelcast")
@@ -38,7 +40,9 @@ dependencies {
 	optional("io.micrometer:micrometer-core")
 	optional("io.micrometer:micrometer-jersey2")
 	optional("io.micrometer:micrometer-registry-appoptics")
-	optional("io.micrometer:micrometer-registry-atlas")
+	optional("io.micrometer:micrometer-registry-atlas") {
+		exclude group: "javax.inject", module: "javax.inject"
+	}
 	optional("io.micrometer:micrometer-registry-datadog")
 	optional("io.micrometer:micrometer-registry-dynatrace")
 	optional("io.micrometer:micrometer-registry-elastic")
@@ -50,37 +54,59 @@ dependencies {
 	optional("io.micrometer:micrometer-registry-kairos")
 	optional("io.micrometer:micrometer-registry-new-relic")
 	optional("io.micrometer:micrometer-registry-prometheus")
-	optional("io.micrometer:micrometer-registry-stackdriver")
-	optional("io.prometheus:simpleclient_pushgateway")
+	optional("io.micrometer:micrometer-registry-stackdriver") {
+		exclude group: "commons-logging", module: "commons-logging"
+		exclude group: "javax.annotation", module: "javax.annotation-api"
+	}
+	optional("io.prometheus:simpleclient_pushgateway") {
+		exclude group: "javax.xml.bind", module: "jaxb-api"
+	}
 	optional("io.micrometer:micrometer-registry-signalfx")
 	optional("io.micrometer:micrometer-registry-statsd")
 	optional("io.micrometer:micrometer-registry-wavefront")
 	optional("io.projectreactor.netty:reactor-netty-http")
 	optional("io.r2dbc:r2dbc-pool")
 	optional("io.r2dbc:r2dbc-spi")
 	optional("jakarta.jms:jakarta.jms-api")
+	optional("jakarta.persistence:jakarta.persistence-api")
 	optional("jakarta.servlet:jakarta.servlet-api")
 	optional("javax.cache:cache-api")
 	optional("net.sf.ehcache:ehcache")
-	optional("org.apache.activemq:activemq-broker")
-	optional("org.apache.commons:commons-dbcp2")
+	optional("org.apache.activemq:activemq-broker") {
+		exclude group: "org.apache.geronimo.specs", module: "geronimo-jms_1.1_spec"
+		exclude group: "org.apache.geronimo.specs", module: "geronimo-j2ee-management_1.1_spec"
+	}
+	optional("org.apache.commons:commons-dbcp2") {
+		exclude group: "commons-logging", module: "commons-logging"
+	}
 	optional("org.apache.kafka:kafka-clients")
 	optional("org.apache.kafka:kafka-streams")
 	optional("org.apache.tomcat.embed:tomcat-embed-core")
 	optional("org.apache.tomcat.embed:tomcat-embed-el")
 	optional("org.apache.tomcat:tomcat-jdbc")
 	optional("org.aspectj:aspectjweaver")
-	optional("org.eclipse.jetty:jetty-server")
+	optional("org.eclipse.jetty:jetty-server") {
+		exclude group: "javax.servlet", module: "javax.servlet-api"
+	}
 	optional("org.elasticsearch:elasticsearch")
-	optional("org.elasticsearch.client:elasticsearch-rest-client")
+	optional("org.elasticsearch.client:elasticsearch-rest-client") {
+		exclude group: "commons-logging", module: "commons-logging"
+	}
 	optional("org.flywaydb:flyway-core")
 	optional("org.glassfish.jersey.core:jersey-server")
 	optional("org.glassfish.jersey.containers:jersey-container-servlet-core")
-	optional("org.hibernate:hibernate-core")
+	optional("org.hibernate:hibernate-core") {
+		exclude group: "javax.activation", module: "javax.activation-api"
+		exclude group: "javax.persistence", module: "javax.persistence-api"
+		exclude group: "javax.xml.bind", module: "jaxb-api"
+		exclude group: "org.jboss.spec.javax.transaction", module: "jboss-transaction-api_1.2_spec"
+	}
 	optional("org.hibernate.validator:hibernate-validator")
 	optional("org.influxdb:influxdb-java")
 	optional("org.jolokia:jolokia-core")
-	optional("org.liquibase:liquibase-core")
+	optional("org.liquibase:liquibase-core") {
+		exclude group: "javax.xml.bind", module: "jaxb-api"
+	}
 	optional("org.mongodb:mongodb-driver-reactivestreams")
 	optional("org.mongodb:mongodb-driver-sync")
 	optional("org.neo4j.driver:neo4j-java-driver")
@@ -90,12 +116,16 @@ dependencies {
 	optional("org.springframework:spring-webflux")
 	optional("org.springframework:spring-webmvc")
 	optional("org.springframework.amqp:spring-rabbit")
-	optional("org.springframework.data:spring-data-cassandra")
+	optional("org.springframework.data:spring-data-cassandra") {
+		exclude group: "org.slf4j", module: "jcl-over-slf4j"
+	}
 	optional("org.springframework.data:spring-data-couchbase")
 	optional("org.springframework.data:spring-data-ldap")
 	optional("org.springframework.data:spring-data-mongodb")
 	optional("org.springframework.data:spring-data-redis")
-	optional("org.springframework.data:spring-data-elasticsearch")
+	optional("org.springframework.data:spring-data-elasticsearch") {
+		exclude group: "commons-logging", module: "commons-logging"
+	}
 	optional("org.springframework.data:spring-data-solr")
 	optional("org.springframework.integration:spring-integration-core")
 	optional("org.springframework.kafka:spring-kafka")
@@ -112,15 +142,17 @@ dependencies {
 	testImplementation("com.jayway.jsonpath:json-path")
 	testImplementation("io.undertow:undertow-core")
 	testImplementation("io.undertow:undertow-servlet") {
-		exclude group: "org.jboss.spec.javax.annotation", module: "jboss-annotations-api_1.2_spec"
+		exclude group: "org.jboss.spec.javax.annotation", module: "jboss-annotations-api_1.3_spec"
 		exclude group: "org.jboss.spec.javax.servlet", module: "jboss-servlet-api_4.0_spec"
 	}
-	testImplementation("javax.xml.bind:jaxb-api")
+	testImplementation("jakarta.xml.bind:jakarta.xml.bind-api")
 	testImplementation("org.apache.logging.log4j:log4j-to-slf4j")
 	testImplementation("org.aspectj:aspectjrt")
 	testImplementation("org.assertj:assertj-core")
 	testImplementation("org.awaitility:awaitility")
-	testImplementation("org.eclipse.jetty:jetty-webapp")
+	testImplementation("org.eclipse.jetty:jetty-webapp") {
+		exclude group: "javax.servlet", module: "javax.servlet-api"
+	}
 	testImplementation("org.glassfish.jersey.ext:jersey-spring5")
 	testImplementation("org.glassfish.jersey.media:jersey-media-json-jackson")
 	testImplementation("org.hamcrest:hamcrest")
@@ -130,16 +162,17 @@ dependencies {
 	testImplementation("org.mockito:mockito-junit-jupiter")
 	testImplementation("org.skyscreamer:jsonassert")
 	testImplementation("org.springframework:spring-orm")
-	testImplementation("org.springframework.data:spring-data-elasticsearch") {
-		exclude group: "org.elasticsearch.client", module: "transport"
-	}
 	testImplementation("org.springframework.data:spring-data-rest-webmvc")
 	testImplementation("org.springframework.integration:spring-integration-jmx")
-	testImplementation("org.springframework.restdocs:spring-restdocs-mockmvc")
+	testImplementation("org.springframework.restdocs:spring-restdocs-mockmvc") {
+		exclude group: "javax.servlet", module: "javax.servlet-api"
+	}
 	testImplementation("org.springframework.restdocs:spring-restdocs-webtestclient")
 	testImplementation("org.springframework.security:spring-security-test")
 	testImplementation("org.yaml:snakeyaml")
 
+	testRuntimeOnly("jakarta.management.j2ee:jakarta.management.j2ee-api")
+	testRuntimeOnly("jakarta.transaction:jakarta.transaction-api")
 	testRuntimeOnly("org.springframework.security:spring-security-oauth2-jose")
 	testRuntimeOnly("org.springframework.security:spring-security-oauth2-resource-server")
 	testRuntimeOnly("org.springframework.security:spring-security-saml2-service-provider")

spring-boot-project/spring-boot-actuator/build.gradle

@@ -11,7 +11,9 @@ description = "Spring Boot Actuator"
 dependencies {
 	api(project(":spring-boot-project:spring-boot"))
 
-	optional("com.datastax.oss:java-driver-core")
+	optional("com.datastax.oss:java-driver-core") {
+		exclude group: "org.slf4j", module: "jcl-over-slf4j"
+	}
 	optional("com.fasterxml.jackson.core:jackson-databind")
 	optional("com.fasterxml.jackson.datatype:jackson-datatype-jsr310")
 	optional("com.github.ben-manes.caffeine:caffeine")
@@ -22,28 +24,36 @@ dependencies {
 	optional("io.lettuce:lettuce-core")
 	optional("io.micrometer:micrometer-core")
 	optional("io.micrometer:micrometer-registry-prometheus")
-	optional("io.prometheus:simpleclient_pushgateway")
+	optional("io.prometheus:simpleclient_pushgateway") {
+		exclude(group: "javax.xml.bind", module: "jaxb-api")
+	}
 	optional("io.r2dbc:r2dbc-pool")
 	optional("io.r2dbc:r2dbc-spi")
 	optional("io.reactivex:rxjava-reactive-streams")
-	optional("org.elasticsearch.client:elasticsearch-rest-client")
+	optional("org.elasticsearch.client:elasticsearch-rest-client") {
+		exclude(group: "commons-logging", module: "commons-logging")
+	}
 	optional("io.undertow:undertow-servlet") {
-		exclude group: "org.jboss.spec.javax.annotation", module: "jboss-annotations-api_1.2_spec"
+		exclude group: "org.jboss.spec.javax.annotation", module: "jboss-annotations-api_1.3_spec"
 		exclude group: "org.jboss.spec.javax.servlet", module: "jboss-servlet-api_4.0_spec"
 	}
 	optional("javax.cache:cache-api")
-	optional("javax.jms:javax.jms-api")
+	optional("jakarta.jms:jakarta.jms-api")
 	optional("net.sf.ehcache:ehcache")
 	optional("org.apache.tomcat.embed:tomcat-embed-core")
 	optional("org.aspectj:aspectjweaver")
-	optional("org.eclipse.jetty:jetty-server")
+	optional("org.eclipse.jetty:jetty-server")  {
+		exclude(group: "javax.servlet", module: "javax.servlet-api")
+	}
 	optional("org.elasticsearch:elasticsearch")
 	optional("org.flywaydb:flyway-core")
 	optional("org.glassfish.jersey.core:jersey-server")
 	optional("org.glassfish.jersey.containers:jersey-container-servlet-core")
 	optional("org.hibernate.validator:hibernate-validator")
 	optional("org.influxdb:influxdb-java")
-	optional("org.liquibase:liquibase-core")
+	optional("org.liquibase:liquibase-core") {
+		exclude(group: "javax.xml.bind", module: "jaxb-api")
+	}
 	optional("org.mongodb:mongodb-driver-reactivestreams")
 	optional("org.mongodb:mongodb-driver-sync")
 	optional("org.neo4j.driver:neo4j-java-driver")
@@ -53,9 +63,13 @@ dependencies {
 	optional("org.springframework:spring-web")
 	optional("org.springframework:spring-webmvc")
 	optional("org.springframework.amqp:spring-rabbit")
-	optional("org.springframework.data:spring-data-cassandra")
+	optional("org.springframework.data:spring-data-cassandra") {
+		exclude group: "org.slf4j", module: "jcl-over-slf4j"
+	}
 	optional("org.springframework.data:spring-data-couchbase")
-	optional("org.springframework.data:spring-data-elasticsearch")
+	optional("org.springframework.data:spring-data-elasticsearch")  {
+		exclude(group: "commons-logging", module: "commons-logging")
+	}
 	optional("org.springframework.data:spring-data-ldap")
 	optional("org.springframework.data:spring-data-mongodb")
 	optional("org.springframework.data:spring-data-redis")
@@ -86,7 +100,7 @@ dependencies {
 	testImplementation("org.testcontainers:junit-jupiter")
 
 	testRuntimeOnly("io.projectreactor.netty:reactor-netty-http")
-	testRuntimeOnly("javax.xml.bind:jaxb-api")
+	testRuntimeOnly("jakarta.xml.bind:jakarta.xml.bind-api")
 	testRuntimeOnly("org.apache.tomcat.embed:tomcat-embed-el")
 	testRuntimeOnly("org.glassfish.jersey.ext:jersey-spring5")
 	testRuntimeOnly("org.hsqldb:hsqldb")