springboot Gradle plugin - overriding version forces it to appear in dependencyManagement of generated POM

This behavior is seen with the Springboot Plugin 2.2.0 and greater. Example Gradle file:

import org.springframework.boot.gradle.plugin.SpringBootPlugin

plugins {
    id 'java'
    id 'maven-publish'
    id 'org.springframework.boot' version '2.3.0.RELEASE' apply false
    id 'io.spring.dependency-management' version '1.0.9.RELEASE'
}

repositories {
    mavenCentral()
}

publishing {
    publications {
        maven(MavenPublication) {
            from project.components.java
        }
    }
}

dependencyManagement {
    imports {
        mavenBom SpringBootPlugin.BOM_COORDINATES
    }
}

// TODO: Comment this line off/on to see changes
ext['mockito.version'] = '2.23.4'

POM file was then generated with Gradle generatePomFileForMavenPublication. When the version override is active, the POM is generated with:

<dependencyManagement>
  <dependencies>
    <dependency>
      <groupId>org.mockito</groupId>
      <artifactId>mockito-junit-jupiter</artifactId>
      <version>2.23.4</version>
    </dependency>
    <dependency>
      <groupId>org.mockito</groupId>
      <artifactId>mockito-core</artifactId>
      <version>2.23.4</version>
    </dependency>
    <dependency>
      <groupId>org.mockito</groupId>
      <artifactId>mockito-inline</artifactId>
      <version>2.23.4</version>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-dependencies</artifactId>
      <version>2.3.0.RELEASE</version>
      <scope>import</scope>
      <type>pom</type>
    </dependency>
  </dependencies>
</dependencyManagement>

When the version override is commented out, I correctly get:

  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-dependencies</artifactId>
        <version>2.3.0.RELEASE</version>
        <scope>import</scope>
        <type>pom</type>
      </dependency>
    </dependencies>
  </dependencyManagement>

While I could argue that this trivial example is actually working correctly, the real-life situation of overriding test-scope-only versions bleeding into the published POM is less desirable.

It would be nice that If I did have something like testImplementation "org.mockito:mockito-core", then the plugin would be smart enough to exclude that from <dependencyManagement> (or have some way to configure it to do so)

Comment From: wilkinsona

It's the dependency management plugin that does this. Can you please open an issue over there and we can see what's possible?

Comment From: mrusinak

I'm not sure it is - Using the Springboot 2.1.X plugin does not have this behavior