DependecyCheck Gradle plugin uses JARs from the project under check

Lucas3oo commented 3 years ago

Describe the bug It seems that the Gradle plugin uses JARs from the actual project that you scan for its own execution. I did first have an issues that an old com.fasterxml.jackson.core:jackson-databind was used inspite Gradle did not pick it when checking with gradlew buildEnvirment. I got the same issue as in https://github.com/jeremylong/DependencyCheck/issues/2838

When I started to exclude all dependencies in my project that uses any old version of com.fasterxml.jackson.core:jackson-databind

like this: def awsSdkVersion = '1.11.1019' dependency "com.amazonaws:aws-java-sdk-cloudwatch:$awsSdkVersion" dependency ("com.amazonaws:aws-java-sdk-core:$awsSdkVersion") { exclude 'com.fasterxml.jackson.core:jackson-databind' // old and conficts with dependecy checker }

I instead got this issue:

Caused by: java.lang.NoSuchMethodError: 'com.fasterxml.jackson.annotation.JsonFormat$Value com.fasterxml.jackson.annotation.JsonFormat$Value.empty()' at com.fasterxml.jackson.databind.cfg.MapperConfig.(MapperConfig.java:54) at com.fasterxml.jackson.databind.ObjectMapper.(ObjectMapper.java:642) at com.fasterxml.jackson.databind.ObjectMapper.(ObjectMapper.java:558) at org.owasp.dependencycheck.utils.Settings.(Settings.java:88)

when running ./gradlew dependencyCheckAggregate on my multi-project

Version of dependency-check used Gradle plugin 6.1.6. Gradle version 7.0.2 (testing with 6.8.3 and 5.6 also same issue) JDK 11.0.10 om Mac.

./gradlew --version

Gradle 7.0.2

Build time: 2021-05-14 12:02:31 UTC Revision: 1ef1b260d39daacbf9357f9d8594a8a743e2152e

Kotlin: 1.4.31 Groovy: 3.0.7 Ant: Apache Ant(TM) version 1.10.9 compiled on September 27 2020 JVM: 11.0.10 (Oracle Corporation 11.0.10+9) OS: Mac OS X 10.15.7 x86_64

Log file To Reproduce ./gradlew dependencyCheckAggregate on my multi-project

Expected behavior Report shall be generated

Additional context Output on gradle buildEnviroment classpath

+--- org.hidetake.ssh:org.hidetake.ssh.gradle.plugin:1.1.3
|    \--- org.hidetake:gradle-ssh-plugin:1.1.3
|         \--- org.hidetake:groovy-ssh:1.1.7
|              +--- org.slf4j:slf4j-api:1.7.7 -> 1.7.30
|              +--- com.jcraft:jsch:0.1.52
|              +--- com.jcraft:jsch.agentproxy.connector-factory:0.0.7
|              |    +--- com.jcraft:jsch.agentproxy.core:0.0.7
|              |    +--- com.jcraft:jsch.agentproxy.usocket-jna:0.0.7
|              |    |    +--- com.jcraft:jsch.agentproxy.core:0.0.7
|              |    |    +--- net.java.dev.jna:jna:3.4.0
|              |    |    \--- net.java.dev.jna:platform:3.4.0
|              |    +--- com.jcraft:jsch.agentproxy.usocket-nc:0.0.7
|              |    |    \--- com.jcraft:jsch.agentproxy.core:0.0.7
|              |    +--- com.jcraft:jsch.agentproxy.sshagent:0.0.7
|              |    |    \--- com.jcraft:jsch.agentproxy.core:0.0.7
|              |    \--- com.jcraft:jsch.agentproxy.pageant:0.0.7
|              |         +--- com.jcraft:jsch.agentproxy.core:0.0.7
|              |         +--- net.java.dev.jna:jna:3.4.0
|              |         \--- net.java.dev.jna:platform:3.4.0
|              \--- com.jcraft:jsch.agentproxy.jsch:0.0.7
|                   +--- com.jcraft:jsch:0.1.49 -> 0.1.52
|                   \--- com.jcraft:jsch.agentproxy.core:0.0.7
+--- io.spring.dependency-management:io.spring.dependency-management.gradle.plugin:1.0.10.RELEASE
|    \--- io.spring.gradle:dependency-management-plugin:1.0.10.RELEASE
+--- org.ajoberstar.grgit:org.ajoberstar.grgit.gradle.plugin:4.1.0
|    \--- org.ajoberstar.grgit:grgit-gradle:4.1.0
|         \--- org.ajoberstar.grgit:grgit-core:4.1.0
|              \--- org.eclipse.jgit:org.eclipse.jgit:latest.release -> 5.11.1.202105131744-r
|                   +--- com.googlecode.javaewah:JavaEWAH:1.1.7
|                   \--- org.slf4j:slf4j-api:1.7.30
+--- com.github.spotbugs:com.github.spotbugs.gradle.plugin:4.7.0
|    \--- gradle.plugin.com.github.spotbugs.snom:spotbugs-gradle-plugin:4.7.0
+--- org.owasp.dependencycheck:org.owasp.dependencycheck.gradle.plugin:6.1.6
|    \--- org.owasp:dependency-check-gradle:6.1.6
|         +--- org.owasp:dependency-check-core:6.1.6
|         |    +--- org.anarres.jdiagnostics:jdiagnostics:1.0.6
|         |    +--- org.whitesource:pecoff4j:0.0.2.1
|         |    +--- org.apache.commons:commons-jcs-core:2.2.1
|         |    |    \--- commons-logging:commons-logging:1.2
|         |    +--- com.github.package-url:packageurl-java:1.2.0
|         |    +--- us.springett:cpe-parser:2.0.2
|         |    |    \--- org.slf4j:slf4j-api:1.7.30
|         |    +--- com.vdurmont:semver4j:3.1.0
|         |    +--- org.slf4j:slf4j-api:1.7.30
|         |    +--- org.owasp:dependency-check-utils:6.1.6
|         |    |    +--- commons-io:commons-io:2.8.0
|         |    |    +--- org.apache.commons:commons-lang3:3.12.0
|         |    |    +--- com.fasterxml.jackson.core:jackson-databind:2.12.3
|         |    |    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.12.3
|         |    |    |    |    \--- com.fasterxml.jackson:jackson-bom:2.12.3
|         |    |    |    |         +--- com.fasterxml.jackson.core:jackson-annotations:2.12.3 (c)
|         |    |    |    |         +--- com.fasterxml.jackson.core:jackson-core:2.12.3 (c)
|         |    |    |    |         +--- com.fasterxml.jackson.core:jackson-databind:2.12.3 (c)
|         |    |    |    |         \--- com.fasterxml.jackson.module:jackson-module-afterburner:2.12.3 (c)
|         |    |    |    +--- com.fasterxml.jackson.core:jackson-core:2.12.3
|         |    |    |    |    \--- com.fasterxml.jackson:jackson-bom:2.12.3 (*)
|         |    |    |    \--- com.fasterxml.jackson:jackson-bom:2.12.3 (*)
|         |    |    +--- commons-codec:commons-codec:1.15
|         |    |    \--- org.slf4j:slf4j-api:1.7.30
|         |    +--- commons-collections:commons-collections:3.2.2
|         |    +--- org.apache.commons:commons-compress:1.20
|         |    +--- commons-io:commons-io:2.8.0
|         |    +--- org.apache.commons:commons-lang3:3.12.0
|         |    +--- org.apache.commons:commons-text:1.9
|         |    |    \--- org.apache.commons:commons-lang3:3.11 -> 3.12.0
|         |    +--- org.apache.lucene:lucene-core:8.8.2
|         |    +--- org.apache.lucene:lucene-analyzers-common:8.8.2
|         |    |    \--- org.apache.lucene:lucene-core:8.8.2
|         |    +--- org.apache.lucene:lucene-queryparser:8.8.2
|         |    |    +--- org.apache.lucene:lucene-core:8.8.2
|         |    |    +--- org.apache.lucene:lucene-queries:8.8.2
|         |    |    \--- org.apache.lucene:lucene-sandbox:8.8.2
|         |    +--- org.apache.velocity:velocity-engine-core:2.3
|         |    |    +--- org.apache.commons:commons-lang3:3.11 -> 3.12.0
|         |    |    \--- org.slf4j:slf4j-api:1.7.30
|         |    +--- com.h2database:h2:1.4.199
|         |    +--- org.glassfish:javax.json:1.1.4
|         |    +--- org.jsoup:jsoup:1.13.1
|         |    +--- com.fasterxml.jackson.core:jackson-databind:2.12.3 (*)
|         |    +--- com.fasterxml.jackson.module:jackson-module-afterburner:2.12.3
|         |    |    +--- com.fasterxml.jackson.core:jackson-core:2.12.3 (*)
|         |    |    \--- com.fasterxml.jackson.core:jackson-databind:2.12.3 (*)
|         |    +--- com.h3xstream.retirejs:retirejs-core:3.0.2
|         |    |    +--- org.json:json:20190722
|         |    |    +--- com.esotericsoftware:minlog:1.3.1
|         |    |    \--- com.github.spullara.mustache.java:compiler:0.9.6
|         |    +--- org.sonatype.ossindex:ossindex-service-client:1.7.0
|         |    |    +--- org.sonatype.ossindex:ossindex-service-api:1.7.0
|         |    |    |    +--- org.slf4j:slf4j-api:1.7.28 -> 1.7.30
|         |    |    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.9.10 -> 2.12.3 (*)
|         |    |    |    +--- javax.ws.rs:javax.ws.rs-api:2.0.1
|         |    |    |    \--- org.sonatype.goodies:package-url-java:1.1.1
|         |    |    +--- javax.inject:javax.inject:1
|         |    |    +--- org.slf4j:slf4j-api:1.7.28 -> 1.7.30
|         |    |    +--- org.slf4j:jcl-over-slf4j:1.7.28
|         |    |    |    \--- org.slf4j:slf4j-api:1.7.28 -> 1.7.30
|         |    |    +--- joda-time:joda-time:2.10.4
|         |    |    \--- com.google.code.gson:gson:2.8.5
|         |    +--- com.google.guava:guava:30.1.1-jre
|         |    |    +--- com.google.guava:failureaccess:1.0.1
|         |    |    +--- com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
|         |    |    +--- com.google.code.findbugs:jsr305:3.0.2
|         |    |    +--- org.checkerframework:checker-qual:3.8.0
|         |    |    +--- com.google.errorprone:error_prone_annotations:2.5.1
|         |    |    \--- com.google.j2objc:j2objc-annotations:1.3
|         |    +--- com.moandjiezana.toml:toml4j:0.7.2
|         |    |    \--- com.google.code.gson:gson:2.8.1 -> 2.8.5
|         |    +--- com.hankcs:aho-corasick-double-array-trie:1.2.2
|         |    +--- commons-validator:commons-validator:1.7
|         |    |    +--- commons-beanutils:commons-beanutils:1.9.4
|         |    |    |    +--- commons-logging:commons-logging:1.2
|         |    |    |    \--- commons-collections:commons-collections:3.2.2
|         |    |    +--- commons-digester:commons-digester:2.1
|         |    |    +--- commons-logging:commons-logging:1.2
|         |    |    \--- commons-collections:commons-collections:3.2.2
|         |    \--- commons-beanutils:commons-beanutils:1.9.4 (*)
|         +--- org.owasp:dependency-check-utils:6.1.6 (*)
|         \--- net.gpedro.integrations.slack:slack-webhook:1.4.0
|              \--- com.google.code.gson:gson:2.3.1 -> 2.8.5
+--- com.github.hierynomus.license-report:com.github.hierynomus.license-report.gradle.plugin:0.15.0
|    \--- gradle.plugin.com.hierynomus.gradle.plugins:license-gradle-plugin:0.15.0
|         +--- org.codehaus.plexus:plexus-utils:2.0.5 -> 2.0.6
|         +--- com.mycila.xmltool:xmltool:3.3
|         \--- com.mycila:license-maven-plugin:3.0
|              +--- org.apache.maven:maven-settings:3.0.4
|              |    \--- org.codehaus.plexus:plexus-utils:2.0.6
|              +--- org.apache.maven:maven-settings-builder:3.0.4
|              |    +--- org.codehaus.plexus:plexus-utils:2.0.6
|              |    +--- org.codehaus.plexus:plexus-interpolation:1.14
|              |    +--- org.codehaus.plexus:plexus-component-annotations:1.5.5
|              |    +--- org.apache.maven:maven-settings:3.0.4 (*)
|              |    \--- org.sonatype.plexus:plexus-sec-dispatcher:1.3
|              |         +--- org.codehaus.plexus:plexus-utils:1.5.5 -> 2.0.6
|              |         \--- org.sonatype.plexus:plexus-cipher:1.4
|              +--- org.springframework:spring-core:3.1.3.RELEASE
|              |    +--- org.springframework:spring-asm:3.1.3.RELEASE
|              |    \--- commons-logging:commons-logging:1.1.1 -> 1.2
|              \--- com.mycila:mycila-xmltool:4.4.ga
|                   \--- org.apache.commons:commons-pool2:2.2
+--- com.github.ben-manes.versions:com.github.ben-manes.versions.gradle.plugin:0.36.0
|    \--- com.github.ben-manes:gradle-versions-plugin:0.36.0
|         \--- com.thoughtworks.xstream:xstream:1.4.10
|              +--- xmlpull:xmlpull:1.1.3.1
|              \--- xpp3:xpp3_min:1.1.4c
+--- com.diffplug.spotless:com.diffplug.spotless.gradle.plugin:5.8.2
|    \--- com.diffplug.spotless:spotless-plugin-gradle:5.8.2
|         +--- com.diffplug.spotless:spotless-lib:2.10.2
|         +--- com.diffplug.spotless:spotless-lib-extra:2.10.2
|         |    +--- com.diffplug.spotless:spotless-lib:2.10.2
|         |    +--- com.diffplug.durian:durian-core:1.2.0
|         |    +--- com.diffplug.durian:durian-collect:1.2.0
|         |    |    \--- com.diffplug.durian:durian-core:1.2.0
|         |    +--- org.eclipse.jgit:org.eclipse.jgit:5.9.0.202009080501-r -> 5.11.1.202105131744-r (*)
|         |    +--- com.googlecode.concurrent-trees:concurrent-trees:2.6.1
|         |    \--- org.codehaus.groovy:groovy-xml:3.0.3
|         |         \--- org.codehaus.groovy:groovy:3.0.3
|         +--- com.diffplug.durian:durian-core:1.2.0
|         +--- com.diffplug.durian:durian-io:1.2.0
|         |    +--- com.diffplug.durian:durian-core:1.2.0
|         |    \--- com.diffplug.durian:durian-collect:1.2.0 (*)
|         +--- com.diffplug.durian:durian-collect:1.2.0 (*)
|         \--- org.eclipse.jgit:org.eclipse.jgit:5.9.0.202009080501-r -> 5.11.1.202105131744-r (*)
\--- com.diffplug.eclipse.apt:com.diffplug.eclipse.apt.gradle.plugin:3.26.0
     \--- com.diffplug.gradle:goomph:3.26.0
          +--- org.eclipse.platform:org.eclipse.osgi:3.12.50
          +--- com.diffplug.durian:durian-core:1.2.0
          +--- com.diffplug.durian:durian-collect:1.2.0 (*)
          +--- com.diffplug.durian:durian-io:1.2.0 (*)
          +--- com.diffplug.durian:durian-swt.os:3.0.0
          +--- commons-io:commons-io:2.6 -> 2.8.0
          +--- com.diffplug.spotless:spotless-lib:1.5.1 -> 2.10.2
          +--- com.squareup.okhttp3:okhttp:4.3.1
          |    +--- com.squareup.okio:okio:2.4.1 -> 2.4.3
          |    |    +--- org.jetbrains.kotlin:kotlin-stdlib:1.3.61
          |    |    |    +--- org.jetbrains.kotlin:kotlin-stdlib-common:1.3.61
          |    |    |    \--- org.jetbrains:annotations:13.0
          |    |    \--- org.jetbrains.kotlin:kotlin-stdlib-common:1.3.61
          |    \--- org.jetbrains.kotlin:kotlin-stdlib:1.3.61 (*)
          +--- com.squareup.okio:okio:2.4.3 (*)
          \--- biz.aQute.bnd:biz.aQute.bndlib:5.0.0
               \--- org.slf4j:slf4j-api:1.7.25 -> 1.7.30

(c) - dependency constraint
(*) - dependencies omitted (listed previously)

I also did an dependecyInsight

% grdl common:dependencyInsight --configuration compileClasspath --dependency com.fasterxml.jackson.core:jackson-databind

Task :common:dependencyInsight com.fasterxml.jackson.core:jackson-databind:2.11.3 (selected by rule) variant "compile" [ org.gradle.status = release (not requested) org.gradle.usage = java-api org.gradle.libraryelements = jar (compatible with: classes) org.gradle.category = library

  Requested attributes not found in the selected variant:
     org.gradle.dependency.bundling = external
     org.gradle.jvm.environment     = standard-jvm
     org.gradle.jvm.version         = 11

]

com.fasterxml.jackson.core:jackson-databind:2.11.3 +--- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.11.3 | --- org.springframework.boot:spring-boot-starter-json:2.4.1 | --- org.springframework.boot:spring-boot-starter-jersey:2.4.1 | --- compileClasspath (requested org.springframework.boot:spring-boot-starter-jersey) +--- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.11.3 | +--- compileClasspath (requested com.fasterxml.jackson.datatype:jackson-datatype-jsr310) | --- org.springframework.boot:spring-boot-starter-json:2.4.1 () +--- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:2.11.3 | --- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:2.11.3 | --- compileClasspath (requested com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider) +--- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:2.11.3 | +--- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:2.11.3 () | --- org.glassfish.jersey.media:jersey-media-json-jackson:2.32 (requested com.fasterxml.jackson.module:jackson-module-jaxb-annotations:2.10.1) | --- org.springframework.boot:spring-boot-starter-jersey:2.4.1 () +--- com.fasterxml.jackson.module:jackson-module-parameter-names:2.11.3 | --- org.springframework.boot:spring-boot-starter-json:2.4.1 () --- org.springframework.boot:spring-boot-starter-json:2.4.1 (*)

com.fasterxml.jackson.core:jackson-databind -> 2.11.3 --- compileClasspath

com.fasterxml.jackson.core:jackson-databind:2.6.7.4 -> 2.11.3 +--- com.amazonaws:aws-java-sdk-core:1.11.1019 | +--- com.amazonaws:aws-java-sdk-rds:1.11.1019 | | --- compileClasspath (requested com.amazonaws:aws-java-sdk-rds) | +--- com.amazonaws:aws-java-sdk-s3:1.11.1019 | | --- compileClasspath (requested com.amazonaws:aws-java-sdk-s3) | --- com.amazonaws:aws-java-sdk-kms:1.11.1019 | --- com.amazonaws:aws-java-sdk-s3:1.11.1019 () --- com.amazonaws:jmespath-java:1.11.1019 +--- com.amazonaws:aws-java-sdk-rds:1.11.1019 () +--- com.amazonaws:aws-java-sdk-s3:1.11.1019 () --- com.amazonaws:aws-java-sdk-kms:1.11.1019 ()

com.fasterxml.jackson.core:jackson-databind:2.10.1 -> 2.11.3 --- org.glassfish.jersey.media:jersey-media-json-jackson:2.32 --- org.springframework.boot:spring-boot-starter-jersey:2.4.1 --- compileClasspath (requested org.springframework.boot:spring-boot-starter-jersey)

(*) - dependencies omitted (listed previously)

A web-based, searchable dependency report is available by adding the --scan option.

Lucas3oo commented 3 years ago

Actually every second time sort of I get this exception instead: Caused by: java.lang.NoClassDefFoundError: Could not initialize class com.fasterxml.jackson.databind.SerializationConfig at com.fasterxml.jackson.databind.ObjectMapper.(ObjectMapper.java:642) at com.fasterxml.jackson.databind.ObjectMapper.(ObjectMapper.java:558) at org.owasp.dependencycheck.utils.Settings.(Settings.java:88) at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

It is weird since com/fasterxml/jackson/databind/SerializationConfig.class is in GRADEL_HOME/wrapper/dists/gradle-7.0.2-bin/857tjihv64xamwrf0h14cai3r/gradle-7.0.2/lib/plugins/jackson-databind-2.12.1.jar

If I stop the gradle daemon then I get Execution failed for task ':dependencyCheckUpdate'.

'com.fasterxml.jackson.annotation.JsonFormat$Value com.fasterxml.jackson.annotation.JsonFormat$Value.empty()'

And next time when the daemon is running I get: Execution failed for task ':dependencyCheckUpdate'.

Could not initialize class com.fasterxml.jackson.databind.SerializationConfig

Lucas3oo commented 3 years ago

https://stackoverflow.com/questions/36689525/jackson-annotation-jsonformatvalue-json-java-lang-nosuchmethoderror seems to mention that 2.6 hasn't the "Value" method.

So it seems that in some way dependecyChecker gets to use an old jackson-databind JAR

Is there some other way to check the class path of the plugins except gradlew buildEnvironment?

jeremylong commented 3 years ago

Only way I know of is to use gradlew buildEnvironment. The longer term fix for this type of problem is the plugin needs to switch to use the worker api as mentioned here: https://github.com/jeremylong/DependencyCheck/issues/3213#issuecomment-804883458

jeremylong / DependencyCheck

DependecyCheck Gradle plugin uses JARs from the project under check #3380

Gradle 7.0.2