gradle plugin and its dependencies

Question

I want to understand how my local cache(.gradle/caches/modules-2/files-2) gets built. I wiped my local cache, have one java project with the build file where i don't declare any dependencies. I only declared one plugin 'java', run build and my cache filled with bunch of libraries where i see log4j v1.2.12 and guava v17 that are known for the vulnerabilities. I upgraded my gradle and gradle wrapper to 6.5 version, deleted my cache and ran ./gradlew build --refresh-dependencies same log4j and guava same versions got loaded again. My understanding is that local cache gets dependencies loaded from gradle plugins declared in the build file. Is it possible to control this kind of dependencies in terms of what version is used?

Answer 1

Not replicable ~/projects/tmp_gradle/caches/modules-2 is still empty after all builds

export GRADLE_USER_HOME=~/projects/tmp_gradle

a simple build.gradle

plugins {
    id 'java'
}

console log for the runs

-bash$ gradle build --refresh-dependencies

BUILD SUCCESSFUL in 618ms
1 actionable task: 1 executed

-bash$ ./gradlew build --refresh-dependencies
Downloading https://services.gradle.org/distributions/gradle-6.1-bin.zip
.........10%.........20%.........30%..........40%.........50%.........60%..........70%.........80%.........90%.........100%

BUILD SUCCESSFUL in 15s
1 actionable task: 1 up-to-date

-bash$ ./gradlew build --refresh-dependencies
Downloading https://services.gradle.org/distributions/gradle-6.5-bin.zip
.........10%..........20%..........30%..........40%.........50%..........60%..........70%..........80%.........90%..........100%

Welcome to Gradle 6.5!

BUILD SUCCESSFUL in 18s
1 actionable task: 1 executed