apache · jamesfredley · Jun 11, 2026 · Feb 26, 2026 · Feb 26, 2026 · Feb 26, 2026
diff --git a/build-logic/docs-core/build.gradle b/build-logic/docs-core/build.gradle
@@ -47,8 +47,11 @@ dependencies {
     api 'org.grails:grails-gdoc-engine:1.0.1'
     api 'org.yaml:snakeyaml:2.4'
 
+    // Maven's own model library, used by ExtractDependenciesTask to parse BOM POMs the
+    // Maven-standard way instead of with hand-rolled XML parsing.
+    api "org.apache.maven:maven-model:${gradleBomDependencyVersions['maven-model.version']}"
+
     api "org.asciidoctor:asciidoctorj:${gradleBomDependencyVersions['asciidoctorj.version']}"
-    implementation "org.springframework.boot:spring-boot-gradle-plugin:${gradleBomDependencyVersions['spring-boot.version']}"
 
     testImplementation platform("org.spockframework:spock-bom:${gradleBomDependencyVersions['gradle-spock.version']}")
     testImplementation('org.spockframework:spock-core') {

diff --git a/...cs-core/src/main/groovy/org/apache/grails/gradle/tasks/bom/ExtractDependenciesTask.groovy b/...cs-core/src/main/groovy/org/apache/grails/gradle/tasks/bom/ExtractDependenciesTask.groovy
@@ -21,8 +21,8 @@ package org.apache.grails.gradle.tasks.bom
 
 import java.util.regex.Pattern
 
-import io.spring.gradle.dependencymanagement.org.apache.maven.model.Model
-import io.spring.gradle.dependencymanagement.org.apache.maven.model.io.xpp3.MavenXpp3Reader
+import org.apache.maven.model.Model
+import org.apache.maven.model.io.xpp3.MavenXpp3Reader
 import org.gradle.api.DefaultTask
 import org.gradle.api.GradleException
 import org.gradle.api.NamedDomainObjectProvider
@@ -257,17 +257,19 @@ abstract class ExtractDependenciesTask extends DefaultTask {
     }
 
     Properties populatePlatformDependencies(CoordinateVersionHolder bomCoordinates, List<CoordinateHolder> exclusionRules, Map<CoordinateHolder, ExtractedDependencyConstraint> constraints, boolean error = true, int level = 0) {
-        Dependency bomDependency = dependencyHandler.create("${bomCoordinates.coordinates}@pom")
-        Configuration dependencyConfiguration = configurationContainer.detachedConfiguration(bomDependency)
+        def bomDependency = dependencyHandler.create("${bomCoordinates.coordinates}@pom")
+        def dependencyConfiguration = configurationContainer.detachedConfiguration(bomDependency).tap {
+            transitive = false
+        }
         File bomPomFile = dependencyConfiguration.singleFile
 
-        MavenXpp3Reader reader = new MavenXpp3Reader()
-        Model model = reader.read(new FileReader(bomPomFile))
+        // Parse the BOM POM with Maven's own model library so resolution mirrors upstream Maven.
+        Model model = bomPomFile.withInputStream { InputStream input -> new MavenXpp3Reader().read(input) }
+        def versionProperties = new Properties()
 
-        Properties versionProperties = new Properties()
+        // Parent POM populated first so its properties can be overridden by the child
         if (model.parent) {
-            // Need to populate the parent bom if it's present first
-            CoordinateVersionHolder parentBom = new CoordinateVersionHolder(
+            def parentBom = new CoordinateVersionHolder(
                     groupId: model.parent.groupId,
                     artifactId: model.parent.artifactId,
                     version: model.parent.version
@@ -276,69 +278,74 @@ abstract class ExtractDependenciesTask extends DefaultTask {
                 versionProperties.put(entry.key, entry.value)
             }
         }
+
         model.properties.entrySet().each { Map.Entry<Object, Object> entry ->
             versionProperties.put(entry.key, entry.value)
         }
         versionProperties.put('project.groupId', bomCoordinates.groupId)
         versionProperties.put('project.version', bomCoordinates.version)
 
-        if (model.dependencyManagement && model.dependencyManagement.dependencies) {
-            for (io.spring.gradle.dependencymanagement.org.apache.maven.model.Dependency depItem : model.dependencyManagement.dependencies) {
-                CoordinateHolder baseCoordinates = new CoordinateHolder(
-                        groupId: depItem.groupId,
-                        artifactId: depItem.artifactId
-                )
-
-                CoordinateHolder resolvedCoordinates = new CoordinateHolder(
-                        groupId: resolveMavenProperty(baseCoordinates.coordinatesWithoutVersion, depItem.groupId, versionProperties),
-                        artifactId: resolveMavenProperty(baseCoordinates.coordinatesWithoutVersion, depItem.artifactId, versionProperties)
-                )
-
-                if (!constraints.containsKey(resolvedCoordinates)) {
-                    boolean isExcluded = exclusionRules.any { CoordinateHolder excludedCoordinate ->
-                        if (excludedCoordinate.groupId && excludedCoordinate.artifactId) {
-                            return resolvedCoordinates == excludedCoordinate
-                        }
-
-                        if (excludedCoordinate.groupId && !excludedCoordinate.artifactId) {
-                            return depItem.groupId == excludedCoordinate.groupId
-                        }
-
-                        if (!excludedCoordinate.groupId && excludedCoordinate.artifactId) {
-                            return depItem.artifactId == excludedCoordinate.artifactId
-                        }
-
-                        false
-                    }
-
-                    if (!isExcluded) {
-                        String resolvedVersion = resolveMavenProperty(resolvedCoordinates.coordinatesWithoutVersion, depItem.version, versionProperties)
-                        String propertyName = depItem.version.contains('$') ? depItem.version : null
-                        ExtractedDependencyConstraint constraint = new ExtractedDependencyConstraint(
-                                groupId: resolvedCoordinates.groupId, artifactId: resolvedCoordinates.artifactId,
-                                version: resolvedVersion, versionPropertyReference: propertyName, source: bomCoordinates.artifactId
-                        )
-                        if (depItem.scope == 'import') {
-                            constraints.put(resolvedCoordinates, constraint)
-
-                            CoordinateVersionHolder resolvedBomCoordinates = new CoordinateVersionHolder(
-                                    groupId: resolvedCoordinates.groupId,
-                                    artifactId: resolvedCoordinates.artifactId,
-                                    version: resolvedVersion
-                            )
-                            populatePlatformDependencies(resolvedBomCoordinates, exclusionRules, constraints, error, level + 1)
-                        } else {
-                            constraints.put(resolvedCoordinates, constraint)
-                        }
-                    }
-                }
-            }
-        } else {
+        def managedDependencies = model.dependencyManagement?.dependencies ?: []
+        if (managedDependencies.isEmpty()) {
             if (error) {
                 // only the boms we directly include need to error since we expect a dependency management;
                 // parent boms are sometimes use to share properties so we need to not error on these cases
                 throw new GradleException("BOM ${bomCoordinates.coordinates} has no dependencyManagement section.")
             }
+            return versionProperties
+        }
+
+        for (def depItem : managedDependencies) {
+            def baseCoordinates = new CoordinateHolder(
+                    groupId: depItem.groupId,
+                    artifactId: depItem.artifactId
+            )
+
+            def resolvedCoordinates = new CoordinateHolder(
+                    groupId: resolveMavenProperty(baseCoordinates.coordinatesWithoutVersion, depItem.groupId, versionProperties),
+                    artifactId: resolveMavenProperty(baseCoordinates.coordinatesWithoutVersion, depItem.artifactId, versionProperties)
+            )
+
+            if (constraints.containsKey(resolvedCoordinates)) {
+                continue
+            }
+
+            boolean isExcluded = exclusionRules.any { CoordinateHolder excludedCoordinate ->
+                if (excludedCoordinate.groupId && excludedCoordinate.artifactId) {
+                    return resolvedCoordinates == excludedCoordinate
+                }
+
+                if (excludedCoordinate.groupId && !excludedCoordinate.artifactId) {
+                    return depItem.groupId == excludedCoordinate.groupId
+                }
+
+                if (!excludedCoordinate.groupId && excludedCoordinate.artifactId) {
+                    return depItem.artifactId == excludedCoordinate.artifactId
+                }
+
+                false
+            }
+
+            if (isExcluded) {
+                continue
+            }
+
+            def resolvedVersion = resolveMavenProperty(resolvedCoordinates.coordinatesWithoutVersion, depItem.version, versionProperties)
+            def propertyName = depItem.version?.contains('$') ? depItem.version : null
+            def constraint = new ExtractedDependencyConstraint(
+                    groupId: resolvedCoordinates.groupId, artifactId: resolvedCoordinates.artifactId,
+                    version: resolvedVersion, versionPropertyReference: propertyName, source: bomCoordinates.artifactId
+            )
+            constraints.put(resolvedCoordinates, constraint)
+
+            if (depItem.scope == 'import') {
+                def resolvedBomCoordinates = new CoordinateVersionHolder(
+                        groupId: resolvedCoordinates.groupId,
+                        artifactId: resolvedCoordinates.artifactId,
+                        version: resolvedVersion
+                )
+                populatePlatformDependencies(resolvedBomCoordinates, exclusionRules, constraints, error, level + 1)
+            }
         }
 
         versionProperties

diff --git a/...plugins/src/main/groovy/org/apache/grails/buildsrc/GrailsDependencyValidatorPlugin.groovy b/...plugins/src/main/groovy/org/apache/grails/buildsrc/GrailsDependencyValidatorPlugin.groovy
@@ -57,6 +57,18 @@ class GrailsDependencyValidatorPlugin implements Plugin<Project> {
 
     private static final Set<String> BOM_PROJECT_NAMES = ['grails-bom', 'grails-gradle-bom', 'grails-base-bom', 'grails-hibernate5-bom', 'grails-hibernate7-bom', 'grails-micronaut-bom', 'grails-hibernate5-micronaut-bom', 'grails-hibernate7-micronaut-bom'].toSet()
 
+    /**
+     * Configuration names that pull in a Grails BOM purely as build tooling rather than as part
+     * of the project's published dependency graph, and are therefore ignored when detecting the
+     * project's single Grails BOM. The shared {@code gradle/docs-dependencies.gradle} script adds
+     * {@code platform(grails-bom)} to the {@code documentation} configuration only to resolve the
+     * groovydoc tooling versions; a project that selects a non-default BOM variant (e.g.
+     * {@code grails-micronaut-bom} or {@code grails-hibernate7-bom}) for its real configurations
+     * still receives {@code grails-bom} here, which must not be misreported as a second,
+     * conflicting BOM.
+     */
+    private static final Set<String> BOM_DETECTION_EXCLUDED_CONFIGURATIONS = ['documentation'].toSet()
+
     @Override
     void apply(Project project) {
         project.plugins.withId('java') {
@@ -159,19 +171,50 @@ class GrailsDependencyValidatorPlugin implements Plugin<Project> {
 
     /**
      * Scans the project's configurations to find which BOM project is in use.
+     *
+     * <p>Exactly one Grails BOM is expected on a project: the BOMs are split by
+     * integration (default / hibernate5 / micronaut), so a project selects a single
+     * variant. This method returns the path of the one declared Grails BOM, {@code null}
+     * when none is declared, and fails the build when more than one distinct Grails BOM
+     * is found (which indicates a misconfiguration - e.g. layering grails-bom and
+     * grails-micronaut-bom on the same project).</p>
+     *
+     * <p>Build-tooling configurations that pull in a BOM purely to resolve their own tool
+     * versions (see {@link #BOM_DETECTION_EXCLUDED_CONFIGURATIONS}) are skipped, so the shared
+     * {@code documentation} configuration's {@code grails-bom} does not conflict with a variant
+     * BOM a project selects for its real dependencies.</p>
      */
     static String detectBomPath(Project project) {
+        Set<String> bomPaths = new LinkedHashSet<>()
+
         for (Configuration config : project.configurations) {
+            if (BOM_DETECTION_EXCLUDED_CONFIGURATIONS.contains(config.name)) {
+                continue
+            }
             for (Dependency dep : config.dependencies) {
-                if (BOM_PROJECT_NAMES.contains(dep.name)) {
-                    Project bomProject = project.rootProject.findProject(":${dep.name}" as String)
-                    if (bomProject != null) {
-                        return bomProject.path
-                    }
+                if (!BOM_PROJECT_NAMES.contains(dep.name)) {
+                    continue
                 }
+                def bomProject = project.rootProject.findProject(":${dep.name}" as String)
+                if (bomProject == null) {
+                    continue
+                }
+                bomPaths.add(bomProject.path)
             }
         }
-        null
+
+        if (bomPaths.isEmpty()) {
+            return null
+        }
+        if (bomPaths.size() > 1) {
+            throw new GradleException(
+                    "Project '${project.name}' declares more than one Grails BOM (${bomPaths.join(', ')}). " +
+                            'Exactly one Grails BOM may be applied; the BOMs are split by integration ' +
+                            '(default / hibernate5 / micronaut), so a project must select a single variant.'
+            )
+        }
+
+        bomPaths.first()
     }
 
     /**

diff --git a/...ins/src/test/groovy/org/apache/grails/buildsrc/GrailsDependencyValidatorPluginSpec.groovy b/...ins/src/test/groovy/org/apache/grails/buildsrc/GrailsDependencyValidatorPluginSpec.groovy
@@ -0,0 +1,98 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ */
+package org.apache.grails.buildsrc
+
+import org.gradle.api.GradleException
+import org.gradle.api.Project
+import org.gradle.testfixtures.ProjectBuilder
+import spock.lang.Specification
+
+class GrailsDependencyValidatorPluginSpec extends Specification {
+
+    private static Project rootWithBoms() {
+        Project root = ProjectBuilder.builder().withName('root').build()
+        ProjectBuilder.builder().withName('grails-bom').withParent(root).build()
+        ProjectBuilder.builder().withName('grails-micronaut-bom').withParent(root).build()
+        ProjectBuilder.builder().withName('grails-hibernate7-bom').withParent(root).build()
+        root
+    }
+
+    private static void addBomPlatform(Project project, String configuration, String bomPath) {
+        project.configurations.maybeCreate(configuration)
+        project.dependencies.add(configuration,
+                project.dependencies.platform(project.dependencies.project(path: bomPath)))
+    }
+
+    void "detectBomPath ignores the documentation configuration when a variant BOM is used elsewhere"() {
+        given: "a project that selects grails-micronaut-bom but inherits grails-bom on the shared documentation config"
+        Project root = rootWithBoms()
+        Project project = ProjectBuilder.builder().withName('grails-micronaut').withParent(root).build()
+        addBomPlatform(project, 'api', ':grails-micronaut-bom')
+        addBomPlatform(project, 'documentation', ':grails-bom')
+
+        expect: "the variant BOM wins and no conflict is reported"
+        GrailsDependencyValidatorPlugin.detectBomPath(project) == ':grails-micronaut-bom'
+    }
+
+    void "detectBomPath returns the single declared BOM"() {
+        given: "a default-variant project with grails-bom on both a real config and the documentation config"
+        Project root = rootWithBoms()
+        Project project = ProjectBuilder.builder().withName('grails-core').withParent(root).build()
+        addBomPlatform(project, 'implementation', ':grails-bom')
+        addBomPlatform(project, 'documentation', ':grails-bom')
+
+        expect:
+        GrailsDependencyValidatorPlugin.detectBomPath(project) == ':grails-bom'
+    }
+
+    void "detectBomPath returns null when no Grails BOM is declared"() {
+        given:
+        Project root = rootWithBoms()
+        Project project = ProjectBuilder.builder().withName('plain').withParent(root).build()
+        project.configurations.maybeCreate('implementation')
+
+        expect:
+        GrailsDependencyValidatorPlugin.detectBomPath(project) == null
+    }
+
+    void "detectBomPath returns null when only the documentation tooling configuration declares a BOM"() {
+        given: "a project whose sole BOM is the doc-tooling grails-bom on the documentation config"
+        Project root = rootWithBoms()
+        Project project = ProjectBuilder.builder().withName('docs-only').withParent(root).build()
+        addBomPlatform(project, 'documentation', ':grails-bom')
+
+        expect: "the doc-tooling BOM is ignored, so no project BOM is detected"
+        GrailsDependencyValidatorPlugin.detectBomPath(project) == null
+    }
+
+    void "detectBomPath fails when two distinct Grails BOMs are declared on real configurations"() {
+        given: "a genuine misconfiguration layering two variant BOMs on real dependency configurations"
+        Project root = rootWithBoms()
+        Project project = ProjectBuilder.builder().withName('misconfigured').withParent(root).build()
+        addBomPlatform(project, 'api', ':grails-micronaut-bom')
+        addBomPlatform(project, 'implementation', ':grails-hibernate7-bom')
+
+        when:
+        GrailsDependencyValidatorPlugin.detectBomPath(project)
+
+        then:
+        GradleException e = thrown(GradleException)
+        e.message.contains('declares more than one Grails BOM')
+    }
+}
diff --git a/dependencies.gradle b/dependencies.gradle
@@ -38,6 +38,7 @@ ext {
             'jline2.version'                : '2.14.6',
             'jna.version'                   : '5.18.1',
             'jquery.version'                : '3.7.1',
+            'maven-model.version'           : '3.9.16',
             'objenesis.version'             : '3.4',
             'spring-boot.version'           : '4.1.0-RC1',
     ]

diff --git a/grails-bom/base/build.gradle b/grails-bom/base/build.gradle
@@ -209,7 +209,7 @@ ext {
                     ExtractedDependencyConstraint extractedConstraint = propertyNameCalculator.calculate(groupId, artifactId, inlineVersion, isBom)
                     if (extractedConstraint?.versionPropertyReference) {
                         // use the property reference instead of the hard coded version so that it can be
-                        // overriden by the spring boot dependency management plugin
+                        // overridden by project properties (gradle.properties or ext['property.name'])
                         dep.version[0].value = extractedConstraint.versionPropertyReference
 
                         // Add an entry in the <properties> node with the actual version number