Closed Lucas3oo closed 3 years ago
Actually every second time sort of I get this exception instead:
Caused by: java.lang.NoClassDefFoundError: Could not initialize class com.fasterxml.jackson.databind.SerializationConfig
at com.fasterxml.jackson.databind.ObjectMapper.
It is weird since com/fasterxml/jackson/databind/SerializationConfig.class is in GRADEL_HOME/wrapper/dists/gradle-7.0.2-bin/857tjihv64xamwrf0h14cai3r/gradle-7.0.2/lib/plugins/jackson-databind-2.12.1.jar
If I stop the gradle daemon then I get Execution failed for task ':dependencyCheckUpdate'.
'com.fasterxml.jackson.annotation.JsonFormat$Value com.fasterxml.jackson.annotation.JsonFormat$Value.empty()'
And next time when the daemon is running I get: Execution failed for task ':dependencyCheckUpdate'.
Could not initialize class com.fasterxml.jackson.databind.SerializationConfig
https://stackoverflow.com/questions/36689525/jackson-annotation-jsonformatvalue-json-java-lang-nosuchmethoderror seems to mention that 2.6 hasn't the "Value" method.
So it seems that in some way dependecyChecker gets to use an old jackson-databind JAR
Is there some other way to check the class path of the plugins except gradlew buildEnvironment?
Only way I know of is to use gradlew buildEnvironment
. The longer term fix for this type of problem is the plugin needs to switch to use the worker api as mentioned here: https://github.com/jeremylong/DependencyCheck/issues/3213#issuecomment-804883458
Describe the bug It seems that the Gradle plugin uses JARs from the actual project that you scan for its own execution. I did first have an issues that an old com.fasterxml.jackson.core:jackson-databind was used inspite Gradle did not pick it when checking with gradlew buildEnvirment. I got the same issue as in https://github.com/jeremylong/DependencyCheck/issues/2838
When I started to exclude all dependencies in my project that uses any old version of com.fasterxml.jackson.core:jackson-databind
like this: def awsSdkVersion = '1.11.1019' dependency "com.amazonaws:aws-java-sdk-cloudwatch:$awsSdkVersion" dependency ("com.amazonaws:aws-java-sdk-core:$awsSdkVersion") { exclude 'com.fasterxml.jackson.core:jackson-databind' // old and conficts with dependecy checker }
I instead got this issue:
Caused by: java.lang.NoSuchMethodError: 'com.fasterxml.jackson.annotation.JsonFormat$Value com.fasterxml.jackson.annotation.JsonFormat$Value.empty()' at com.fasterxml.jackson.databind.cfg.MapperConfig.(MapperConfig.java:54)
at com.fasterxml.jackson.databind.ObjectMapper.(ObjectMapper.java:642)
at com.fasterxml.jackson.databind.ObjectMapper.(ObjectMapper.java:558)
at org.owasp.dependencycheck.utils.Settings.(Settings.java:88)
when running ./gradlew dependencyCheckAggregate on my multi-project
Version of dependency-check used Gradle plugin 6.1.6. Gradle version 7.0.2 (testing with 6.8.3 and 5.6 also same issue) JDK 11.0.10 om Mac.
./gradlew --version
Gradle 7.0.2
Build time: 2021-05-14 12:02:31 UTC Revision: 1ef1b260d39daacbf9357f9d8594a8a743e2152e
Kotlin: 1.4.31 Groovy: 3.0.7 Ant: Apache Ant(TM) version 1.10.9 compiled on September 27 2020 JVM: 11.0.10 (Oracle Corporation 11.0.10+9) OS: Mac OS X 10.15.7 x86_64
Log file To Reproduce ./gradlew dependencyCheckAggregate on my multi-project
Expected behavior Report shall be generated
Additional context Output on gradle buildEnviroment classpath
I also did an dependecyInsight
% grdl common:dependencyInsight --configuration compileClasspath --dependency com.fasterxml.jackson.core:jackson-databind
]
com.fasterxml.jackson.core:jackson-databind:2.11.3 +--- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.11.3 | --- org.springframework.boot:spring-boot-starter-json:2.4.1 | --- org.springframework.boot:spring-boot-starter-jersey:2.4.1 | --- compileClasspath (requested org.springframework.boot:spring-boot-starter-jersey) +--- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.11.3 | +--- compileClasspath (requested com.fasterxml.jackson.datatype:jackson-datatype-jsr310) | --- org.springframework.boot:spring-boot-starter-json:2.4.1 () +--- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:2.11.3 | --- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:2.11.3 | --- compileClasspath (requested com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider) +--- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:2.11.3 | +--- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:2.11.3 () | --- org.glassfish.jersey.media:jersey-media-json-jackson:2.32 (requested com.fasterxml.jackson.module:jackson-module-jaxb-annotations:2.10.1) | --- org.springframework.boot:spring-boot-starter-jersey:2.4.1 () +--- com.fasterxml.jackson.module:jackson-module-parameter-names:2.11.3 | --- org.springframework.boot:spring-boot-starter-json:2.4.1 () --- org.springframework.boot:spring-boot-starter-json:2.4.1 (*)
com.fasterxml.jackson.core:jackson-databind -> 2.11.3 --- compileClasspath
com.fasterxml.jackson.core:jackson-databind:2.6.7.4 -> 2.11.3 +--- com.amazonaws:aws-java-sdk-core:1.11.1019 | +--- com.amazonaws:aws-java-sdk-rds:1.11.1019 | | --- compileClasspath (requested com.amazonaws:aws-java-sdk-rds) | +--- com.amazonaws:aws-java-sdk-s3:1.11.1019 | | --- compileClasspath (requested com.amazonaws:aws-java-sdk-s3) | --- com.amazonaws:aws-java-sdk-kms:1.11.1019 | --- com.amazonaws:aws-java-sdk-s3:1.11.1019 () --- com.amazonaws:jmespath-java:1.11.1019 +--- com.amazonaws:aws-java-sdk-rds:1.11.1019 () +--- com.amazonaws:aws-java-sdk-s3:1.11.1019 () --- com.amazonaws:aws-java-sdk-kms:1.11.1019 ()
com.fasterxml.jackson.core:jackson-databind:2.10.1 -> 2.11.3 --- org.glassfish.jersey.media:jersey-media-json-jackson:2.32 --- org.springframework.boot:spring-boot-starter-jersey:2.4.1 --- compileClasspath (requested org.springframework.boot:spring-boot-starter-jersey)
(*) - dependencies omitted (listed previously)
A web-based, searchable dependency report is available by adding the --scan option.