Gemnasium-maven ignores constraints in build.gradle files

Summary

The gemnasium-maven analyser produces incorrect results when evaluating Gradle projects that specify constraints to dependencies.

For example: in this project I override use a constraint to pin net.minidev:json-smart to 2.4.7.

gradle dependencies correctly lists json-smart as 2.4.7:

testCompileClasspath - Compile classpath for source set 'test'.
+--- org.springframework.boot:spring-boot-starter-test:2.4.13
# omitting other deps for brevity
|    +--- com.jayway.jsonpath:json-path:2.4.0
|    |    +--- net.minidev:json-smart:2.3 -> 2.4.7

But the dependency list for the project shows 2.3

image

Steps to reproduce

  1. Use 'constraints' to pin a dependency to a specific version in build.gradle
  2. Run gemnasium-maven jobs on it

Example Project

Simple reproduction in this project

What is the current bug behavior?

The wrong version for constraints-pinned dependencies are reported by gemnasium-maven.

What is the expected correct behavior?

The correct version for constraints-pinned dependencies are reported by gemnasium-maven.