Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Newest dependency check is breaking builds on older Gradle versions due to jackson-core 2.15.2 multi-release jar with Java 19 classes #5791

Closed
Grimoren opened this issue Jun 22, 2023 · 12 comments

Comments

@Grimoren
Copy link

Describe the bug
Jackson-bom 2.15.2 which is being passed in transitively by dependency check includes Jackson-core 2.15.2 which seems to contain a file that was compiled by file version 63 (aka java 19)

Version of dependency-check used
The problem occurs using version 8.3.1 of the gradle (cli, gradle plugin, maven plugin, etc.)

Log file
When reporting errors, 99% of the time log file output is required. Please post the log file as a gist and provide a link in the new issue.

java.util.concurrent.ExecutionException: org.gradle.api.GradleException: Failed to create Jar file /root/.gradle/caches/jars-9/87491e8cdb0229bafcb7120e23222513/jackson-core-2.15.2.jar

Caused by: java.io.IOException: Failed to process the entry 'META-INF/versions/19/com/fasterxml/jackson/core/io/doubleparser/FastDoubleSwar.class' from '/Users/saitx/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.15.2/a6fe1836469a69b3ff66037c324d75fc66ef137c/jackson-core-2.15.2.jar'
at org.gradle.internal.classpath.InstrumentingClasspathFileTransformer.lambda$visitEntries$1(InstrumentingClasspathFileTransformer.java:161)
at org.gradle.internal.classpath.ClasspathWalker.visitJarContents(ClasspathWalker.java:91)
at org.gradle.internal.classpath.ClasspathWalker.visit(ClasspathWalker.java:55)
at org.gradle.internal.classpath.InstrumentingClasspathFileTransformer.visitEntries(InstrumentingClasspathFileTransformer.java:148)
at org.gradle.internal.classpath.InstrumentingClasspathFileTransformer.lambda$instrument$0(InstrumentingClasspathFileTransformer.java:139)
at org.gradle.internal.classpath.ClasspathBuilder.buildJar(ClasspathBuilder.java:66)
at org.gradle.internal.classpath.ClasspathBuilder.jar(ClasspathBuilder.java:53)
... 9 more
Caused by: java.lang.IllegalArgumentException: Unsupported class file major version 63
at org.objectweb.asm.ClassReader.(ClassReader.java:199)
at org.objectweb.asm.ClassReader.(ClassReader.java:180)
at org.objectweb.asm.ClassReader.(ClassReader.java:166)
at org.gradle.internal.classpath.InstrumentingClasspathFileTransformer.lambda$visitEntries$1(InstrumentingClasspathFileTransformer.java:151)
... 15 more

To Reproduce
Steps to reproduce the behavior:

  1. use on a project that is configured for any project that is not using java 19 or above.

Expected behavior
Runs with no errors

Additional context
Add any other context about the problem here.

@Grimoren Grimoren added the bug label Jun 22, 2023
@aikebah
Copy link
Collaborator

aikebah commented Jun 22, 2023

Jackson is a multi-release jar, which should be fine in any environment that uses a supported java version. Classes under META-INF/versions/<java major> indicate that they should be ignored on any environment not supporting that java major version.

@aikebah
Copy link
Collaborator

aikebah commented Jun 22, 2023

See https://openjdk.org/jeps/238

@aikebah
Copy link
Collaborator

aikebah commented Jun 22, 2023

And see also gradle/gradle#24390

@Grimoren
Copy link
Author

Ah so upgrading gradle wrapper to 7.6 might fix this. Let me try that out.

@Grimoren
Copy link
Author

Grimoren commented Jun 23, 2023

But this basically restricts the usage of dependency check gradle to gradle 7.6 or higher for version 8.3.1+

@aikebah
Copy link
Collaborator

aikebah commented Jun 23, 2023

I'm not much in the gradle ecosystem. Would you be able to verify if gradle 6.9.4 yields the issue?
If not I would still consider it an issue of gradle, but would be good to have the clarity whether all 'current maintained revisions' of gradle are working fine.

@aikebah
Copy link
Collaborator

aikebah commented Jun 23, 2023

Hmm... given https://docs.gradle.org/current/userguide/feature_lifecycle.html#eol_support it appears that 6.9.4 would be an anomaly (as in released despite 8.x was already there so it would typically be seen as EOL) due to the severity of log4shell... I suppose it won't get fixes should it also have the multirelease-jar-support issue.

@aikebah aikebah changed the title newest dependency check is passing Jackson-bom 2.15.2 transitively which in turn passes Jackson-core 2.15.2 which includes java 19 compiled class. Newest dependency check is breaking builds on older Gradle versions due to jackson-core 2.15.2 multi-release jar with Java 19 classes Jun 23, 2023
@kybercryst4l
Copy link

kybercryst4l commented Jun 26, 2023

Same problem here with a gradle 6 multi project, and we can't easily migrate to higher gradle version (will be done later this year).
I found this solution gradle/gradle#24390 (comment) to force jackson-core version and this works, but forces this version for all dependencies of the gradle sub-projects and therefore breaks application dependencies.
Is there a way to only enforce a specific jackson-core version for the owasp dependency check gradle plugin?

@jeremylong
Copy link
Owner

I'm not sure if there is another way to force the version of jackson for ODC. Maybe use classpath instead of all - but I doubt that will work cleanly.

I apologize about issue everyone is facing - I was forced to upgrade the project to gradle 7.x. With making no changes other then incrementing the version of ODC-core the build started failing due to dependency-check/dependency-check-gradle#339

initscript {
    // Temporary workaround
    gradle.allprojects {
        buildscript {
            configurations.classpath {
                resolutionStrategy.force 'com.fasterxml.jackson.core:jackson-core:2.14.2'
            }
        }
    }}

@jeremylong
Copy link
Owner

As Hans pointed out - gradle 6 is EOL...

@elfrasco
Copy link

I'm facing the same issue since today. I'm using:

  • Gradle 7.4.2
  • jackson-datatype-jdk8:2.15.2
  • openjdk version "11.0.16" 2022-07-19 LTS

@elfrasco
Copy link

I've upgraded Gradle from version 7.4.2 to 7.6.2, and the issue is fixed.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

5 participants