Closed hohwille closed 1 year ago
For some strange reason dependency-injection does not work in the spring-tests but I have not changed anything related.
I get NPEs as @Inject
annotation is not honored and populated by spring.
I debugged into the deepest core of spring and found out that DependencyInjectionTestExecutionListener
gets invoked as expected and also triggers AutowiredAnnotationBeanPostProcessor
that also properly registers javax.inject.Inject
.
Further, autowireBeanProperties
calls populateBean
that should do the actual job.
It then also finds the annotated fields but now something strange happens:
Both the requiredType
and the type
are javax.inject.Inject
(see red markers).
However, spring only resolves 2 mappings
- one for javax.inject.Named
and the other for javax.inject.Qualitifer
.
So the one for javax.inject.Inject
is missing and hence null
is returned with the result that the field is ignored for injection.
IMHO this is a bug in spring(-test), but as we have tests working in an analogue scenario I am clueless what is causing this bug exactly.
For the record: it works if I use @Autowired
instead of @Inject
- seems to be a really wired and crazy spring but - what a pitty.
So also this CXF autostarter is causing problems: when you do not have any service, it makes your spring-boot app fail:
[INFO] Caused by: org.apache.cxf.service.factory.ServiceConstructionException: No resource classes found
Actually the exception handling is so lousy, that it is really hard to find this valuable root cause in the logs and draw the correct conclusions from it.
So as expected with the workarounds the tests now succeeded:
[INFO] [INFO] Tests run: 4, Failures: 0, Errors: 0, Skipped: 0
IMHO this reveals the following spring related bugs/issues:
@Inject
stopped working in JUnit - however, when I do not upgrade spring-boot version, I still get the same error and why did this work before and also works in the JUnits of the modules?Flyway
bean can not be injected anymore - if annotated with @Autowired
we get the error that no such bean exists. What caused this to break?But there is even more fun: I activated OWASP dependency-check and get this errors now:
Error: [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0':
Error: [ERROR]
Error: [ERROR] jakarta.enterprise.lang-model-4.0.1.jar: CVE-2020-36460
Error: [ERROR] querydsl-core-5.0.0.jar: CVE-2022-31548
Error: [ERROR] spring-boot-2.7.2.jar: CVE-2016-1000027, CVE-2022-22965
Error: [ERROR] spring-core-5.3.22.jar: CVE-2016-1000027
Error: [ERROR] spring-data-commons-2.7.2.jar: CVE-2016-1000027, CVE-2022-22965
Error: [ERROR] spring-data-jpa-2.7.2.jar: CVE-2016-1000027, CVE-2022-22965
Error: [ERROR] spring-security-core-5.7.2.jar: CVE-2018-1258, CVE-2016-1000027
Error: [ERROR] spring-security-crypto-5.7.2.jar: CVE-2018-1258, CVE-2016-1000027
Error: [ERROR] spring-security-web-5.7.2.jar: CVE-2018-1258
Whoa - so just looking at the very first match https://nvd.nist.gov/vuln/detail/CVE-2020-36460:
So depdendency-check wants to tell me that jakarta.enterprise.lang-model-4.0.1.jar
is affected by a RUST bug, come on guys what are you smoking? Seems that also dependency-check
and CVE bug databases got broken and turned useless.
But there is even more fun: I activated OWASP dependency-check and get this errors now:
Error: [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0': Error: [ERROR] Error: [ERROR] jakarta.enterprise.lang-model-4.0.1.jar: CVE-2020-36460 Error: [ERROR] querydsl-core-5.0.0.jar: CVE-2022-31548 Error: [ERROR] spring-boot-2.7.2.jar: CVE-2016-1000027, CVE-2022-22965 Error: [ERROR] spring-core-5.3.22.jar: CVE-2016-1000027 Error: [ERROR] spring-data-commons-2.7.2.jar: CVE-2016-1000027, CVE-2022-22965 Error: [ERROR] spring-data-jpa-2.7.2.jar: CVE-2016-1000027, CVE-2022-22965 Error: [ERROR] spring-security-core-5.7.2.jar: CVE-2018-1258, CVE-2016-1000027 Error: [ERROR] spring-security-crypto-5.7.2.jar: CVE-2018-1258, CVE-2016-1000027 Error: [ERROR] spring-security-web-5.7.2.jar: CVE-2018-1258
I could fix this by updating the version of the dependency-check plugin. Now only two reasonable CVEs remain:
[INFO] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8,0':
[INFO]
[INFO] querydsl-core-5.0.0.jar: CVE-2022-31548(9.3)
[INFO] spring-web-5.3.22.jar: CVE-2016-1000027(9.8)
@baumeister25 thanks for your review. Some things can be quickly addressed but mainly I see the need for a longer discussion to reach an alignment in a meeting. Can you arrange this?
@baumeister25 thanks for your review. Some things can be quickly addressed but mainly I see the need for a longer discussion to reach an alignment in a meeting. Can you arrange this?
@hohwille Yes, I totally agree. That's also the reason why I did not comment all your comments ;-). I'll setup a meeting with Malte, Jan-Gerrit you and me. I would start in this small round and if we feel that we need further input we can define the participants in that meeting.
Implementation of #571 Changes and TODOs:
devon4j-*
ormmm-*
, just vanilla spring-boot, etc. to get started.services/rest
toservices
for REST services. IMHO this is undesired and should be fixed by some CXF config (if CXF is capable to do so). Otherwise our service-client will not work seamlessly. However, new convention from CXF starter. PR to reconfigure this is welcome...Featurelist:
inMemoryAuthentication
and hardcoded PWD.ROLE_
prefix in spring-securityPerformaceLogFilter
)