It can be difficult to determine the root cause the results in a particular dependency version being included in the dependency-graph. Different versions can be configured for different subprojects and configurations, so resolving a Dependabot Alert is not always straightforward.

The easiest way to identify the root source of a dependency is via a Build Scan®, but when this isn't available it should be possible to get this information via logging together with the built-in dependency reporting of Gradle.