java.lang.NoSuchMethodError: 'java.nio.charset.Charset org.apache.commons.io.Charsets.toCharset(java.nio.charset.Charset, java.nio.charset.Charset)'

[rburgst]

Describe the bug The gradle plugin fails on analyzing a spring boot 3.2.5 project with the error

java.lang.NoSuchMethodError: 'java.nio.charset.Charset org.apache.commons.io.Charsets.toCharset(java.nio.charset.Charset, java.nio.charset.Charset)'

Version of dependency-check used The problem occurs using version 9.1.0 of the gradle plugin

Log file

An unexpected error occurred during analysis of '/Users/Rainer.Burgstaller/.gradle/caches/modules-2/files-2.1/com.h2database/h2/2.2.224/7bdade27d8cd197d9b5ce9dc251f41d2edc5f7ad/h2-2.2.224.jar' (Archive Analyzer): 'java.nio.charset.Charset org.apache.commons.io.Charsets.toCharset(java.nio.charset.Charset, java.nio.charset.Charset)'

java.lang.NoSuchMethodError: 'java.nio.charset.Charset org.apache.commons.io.Charsets.toCharset(java.nio.charset.Charset, java.nio.charset.Charset)'
        at org.apache.commons.compress.archivers.zip.ZipFile.<init>(ZipFile.java:858)
        at org.apache.commons.compress.archivers.zip.ZipFile.<init>(ZipFile.java:930)
        at org.apache.commons.compress.archivers.zip.ZipFile.<init>(ZipFile.java:818)
        at org.apache.commons.compress.archivers.zip.ZipFile.<init>(ZipFile.java:794)
        at org.apache.commons.compress.archivers.zip.ZipFile.<init>(ZipFile.java:779)
        at org.apache.commons.compress.archivers.zip.ZipFile.<init>(ZipFile.java:942)
        at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.isZipFileActuallyJarFile(ArchiveAnalyzer.java:731)
        at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.addDisguisedJarsToDependencies(ArchiveAnalyzer.java:348)
        at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.extractAndAnalyze(ArchiveAnalyzer.java:334)
        at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.extractAndAnalyze(ArchiveAnalyzer.java:317)
        at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.analyzeDependency(ArchiveAnalyzer.java:277)
        at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
        at java.base/java.lang.Thread.run(Thread.java:1583)

> Task :dependencyCheckAggregate

To Reproduce Steps to reproduce the behavior:

1. run gradlew dependencyCheckAggregate (or analyze, does not matter)
2. see the error

Expected behavior No error should happen

Additional context in my buildSrc/build.gradle I have the following dependency which might be related?

dependencies {
    implementation 'commons-io:commons-io:2.11.0'
...
}

[rburgst]

yes, the problem is gone once I remove the dependency in my buildSrc/build.gradle. The question is why this is happening (actually, it was working before I upgraded all dependencies of the app).

[nhumblot]

Hi! Thank you for reporting your issue.

DependencyCheck 9.1.0 is using commons-io:commons-io:2.15.0, you may face a dependency version resolution issue.

The failing method seems to have been added in commons-io:commons-io:2.12.0 :

    /**
     * Returns the given charset if non-null, otherwise return defaultCharset.
     *
     * @param charset The charset to test, may be null.
     * @param defaultCharset The charset to return if charset is null, may be null.
     * @return a Charset .
     * @since 2.12.0
     */
    public static Charset toCharset(final Charset charset, final Charset defaultCharset) {
        return charset == null ? defaultCharset : charset;
    }

Do you see any improvement by upgrading to the commons-io:commons-io:2.12.0 version?

[rburgst]

Yes, actually I removed the dependency in my buildSrc/build.gradle as I wasnt needing it after all. Its just funny that Gradle didnt automatically upgrade the dependency as dependencycheck would specify the newer version.