Spring Boot plugin BOM support for Gradle

From March 18th 2025, Snyk's improved Gradle scanner (available in Snyk Preview) will support Spring Boot plugin BOMs.

Existing users of the new scanner should see the improved results in the next re-scan of their projects. Or, to start using the new scanner, see the documentation.

What are Spring Boot plugin BOMs?

Here is an example of a plugin BOM in Gradle build file.

// build.gradle
plugins {
  id 'org.springframework.boot' version '3.3.1'
  id 'io.spring.dependency-management' version '1.1.4'
}
dependencies {
  implementation 'org.springframework.boot:spring-boot-starter-actuator'
  implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
  implementation 'org.springframework.boot:spring-boot-starter-security'
  implementation 'org.springframework.boot:spring-boot-starter-web'
}

Although the versions of all the dependencies in the dependencies block are omitted, Gradle revolves them to 3.3.1 because the plugins org.springframework.boot and io.spring.dependency-management implicitly introduces a BOM into the build that guides version resolution.

How will my scan results be improved?

For projects with these types of plugin BOM, the new scanner previously reported unknown versions for the relevant dependencies. It will now return the correct version as specified by the plugin.

In addition, it will include their transitive dependencies, resulting in fewer false negatives.