Description
Issue Description
In a Gradle project using the "Dependency Management Plugin" we can override a property as part of importing a BOM as documented here.
Now when we want to react quickly to an security audit problem, e.g. jackson-databind this mechanism is quite useful since we can do something like:
dependencyManagement {
imports {
mavenBom('org.springframework.boot:spring-boot-dependencies:2.1.7.RELEASE') {
bomProperties([
'jackson.version': '2.9.9.20190807'
])
}
}
}
Now I would expect this to work since there is a jackson-bom with this particular version.
<dependency>
<groupId>com.fasterxml.jackson</groupId>
<artifactId>jackson-bom</artifactId>
<version>${jackson.version}</version>
<scope>import</scope>
<type>pom</type>
</dependency>
See spring-boot-dependencies/pom.xml#L642
However, this fails with:
Could not find com.fasterxml.jackson.core:jackson-core:2.9.9.20190807
This is due to the fact that the Spring jackson.version seems to "shadow" the jackson.version property that the jackson-bom uses internally (see jackson-bom/pom.xml#L29) and Jackson recently adopted a different release scheme (FasterXML/jackson-databind#2395 (comment)).
With Maven this was probably not a problem since this kind of overriding properties was not allowed / documented (#12790 (comment)) and could only be done by setting it externally with mvn ... -Djackson.version=x.y.z.
Standalone example
Can be found here: https://github.com/franzbecker/spring-bom-problem/blob/master/build.gradle
Related issues
#17698 previous discussion on this issue
#12790 similar discussion but the author had another issue
Possible solutions
Rename jackson.version to jackson-bom.version (proposed here #12790 (comment) as well).
I would argue that this naming would represent the semantics better as this property defines which version of the Jackson BOM is imported, not the Jackson version itself.
Another solution I could think of would be to allow a more fine-grained control of the overrides in the "Dependency Management Plugin".