Report writing fails due to missing class: StringEscapeUtils

[cirata-trev]

Describe the bug When running dependencyCheckAnalyze from gradle in our project, the report writing fails and we see the following in the gradle task output:

FAILURE: Build failed with an exception.

• What went wrong: Execution failed for task ':standalone-shell:dependencyCheckAnalyze'. Could not initialize class org.apache.commons.text.StringEscapeUtils

The debug log output isn't helpul in giving any more information. However, running ./gradlew dependencyCheckAnalyze --scan does show the stacktrace and a little more information which seems to indicate that the (Apache Commons) StringEscapeUtils class isn't found.

The dependency-check report is partially written and ends with:

Project: 

Version of dependency-check used The problem occurs using version 9.1.0 of the gradle plugin.

Log file https://gist.github.com/wandisco-trev/a88fc49683ad68e2de4d22c0e0b1e175

To Reproduce Steps to reproduce the behavior:

1. ./gradlew dependencyCheckAnalyze
2. Error above occurs and output file is partially written

Expected behavior I expect the report to be generated.

Additional context Using gradle 7.6.4 although the problem is also reproducible on gradle 8.5. Sometimes it manifests as the inability to find the Range.of(Comparable, Comparable) method.

[cirata-trev]

The stacktrace from the gradle scan is:

Caused by: java.lang.NoClassDefFoundError: Could not initialize class org.apache.commons.text.StringEscapeUtils
at org.owasp.dependencycheck.reporting.EscapeTool.html(EscapeTool.java:74)  
    at org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.doInvoke(UberspectImpl.java:571)  
    at org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.invoke(UberspectImpl.java:554)    
    at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:221)    
    at org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:368)  
    at org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:492)   
    at org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439)   
    at org.apache.velocity.runtime.RuntimeInstance.render(RuntimeInstance.java:1519)    
    at org.apache.velocity.runtime.RuntimeInstance.evaluate(RuntimeInstance.java:1450)  
    at org.apache.velocity.app.VelocityEngine.evaluate(VelocityEngine.java:239) 
    at org.owasp.dependencycheck.reporting.ReportGenerator.processTemplate(ReportGenerator.java:470)    
    at org.owasp.dependencycheck.reporting.ReportGenerator.processTemplate(ReportGenerator.java:428)    
    at org.owasp.dependencycheck.reporting.ReportGenerator.write(ReportGenerator.java:359)  
    at org.owasp.dependencycheck.reporting.ReportGenerator.write(ReportGenerator.java:326)  
    at org.owasp.dependencycheck.Engine.writeReports(Engine.java:1264)  
    at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.analyze(AbstractAnalyze.groovy:120)   
    at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:125)   
    at org.gradle.api.internal.project.taskfactory.StandardTaskAction.doExecute(StandardTaskAction.java:58)

[aikebah]

Looks like you have an incompatible version of apache commons-text on the classpath of your Gradle build that is overriding the transitive dependency of the Gradle plugin.

[aikebah]

FYI dependencyCheck expects version 1.11.0 on the classpath

Based on your gist (the link you have put in was wrong, but I managed to uncover the gist based on your github account) I suspect that Gradle puts version 1.9.0 on the classpath

[cirata-trev]

Which classpath is the dependency-check using? When I run the gradle dependencies task, the only time commons-text appears is as a spotbugs dependency (commons-text:1.10.0). However, the scanConfiguration property for the dependency-check does not include spotbugs, for obvious reasons.

[jeremylong]

./gradlew buildEnv

[cirata-trev]

Ah, got it thanks. It looks like the nebula plugin was causing the issues. Thanks very much for the help, this is now resolved.