search

openrewrite / rewrite-java-security

OpenRewrite recipes for patching Java security vulnerabilities.
Apache License 2.0
16 stars 14 forks source link

NoClassDefFoundError for AbstractRefasterJavaVisitor using rewrite-maven-plugin 5.8.1 #110

Closed arburk closed 8 months ago

arburk commented 8 months ago

I've experienced issue using maven with following configuration in pom.xml

<plugin>
  <groupId>org.openrewrite.maven</groupId>
  <artifactId>rewrite-maven-plugin</artifactId>
  <version>5.8.1</version>
  <configuration>
    <activeRecipes>org.openrewrite.java.security.JavaSecurityBestPractices</activeRecipes>
  </configuration>
  <dependencies>
    <dependency>
      <groupId>org.openrewrite.recipe</groupId>
      <artifactId>rewrite-java-security</artifactId>
      <version>2.0.5</version>
    </dependency>
  </dependencies>
</plugin>

executing mvn rewrite:run results in 

[INFO] --- rewrite:5.8.1:run (default-cli) @ myproject ---
[INFO] Using active recipe(s) [org.openrewrite.java.security.JavaSecurityBestPractices]
[INFO] Using active styles(s) []
[WARNING] Unable to configure org.openrewrite.java.migrate.apache.commons.io.ApacheCommonsFileUtilsRecipes
Unable to configure org.openrewrite.java.migrate.apache.commons.io.ApacheCommonsFileUtilsRecipes

java.lang.NoClassDefFoundError: org/openrewrite/java/internal/template/AbstractRefasterJavaVisitor
    at java.lang.ClassLoader.defineClass1 (Native Method)
    at java.lang.ClassLoader.defineClass (ClassLoader.java:1016)
    [...]
    at org.codehaus.plexus.classworlds.realm.ClassRealm.loadClass (ClassRealm.java:239)
    at org.openrewrite.java.migrate.apache.commons.io.ApacheCommonsFileUtilsRecipes.getRecipeList (ApacheCommonsFileUtilsRecipes.java:37)
    at org.openrewrite.Recipe.createRecipeDescriptor (Recipe.java:152)
    at org.openrewrite.Recipe.getDescriptor (Recipe.java:144)
    at org.openrewrite.config.ClasspathScanningLoader.configureRecipes (ClasspathScanningLoader.java:176)
   [...]
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:348)
    at org.codehaus.classworlds.Launcher.main (Launcher.java:47)
Caused by: java.lang.ClassNotFoundException: org.openrewrite.java.internal.template.AbstractRefasterJavaVisitor
    at org.codehaus.plexus.classworlds.strategy.SelfFirstStrategy.loadClass (SelfFirstStrategy.java:50)
    at org.codehaus.plexus.classworlds.realm.ClassRealm.unsynchronizedLoadClass (ClassRealm.java:271)
    [...]
    at org.codehaus.plexus.classworlds.realm.ClassRealm.loadClass (ClassRealm.java:239)
    at org.openrewrite.java.migrate.apache.commons.io.ApacheCommonsFileUtilsRecipes.getRecipeList (ApacheCommonsFileUtilsRecipes.java:37)
    at org.openrewrite.Recipe.createRecipeDescriptor (Recipe.java:152)
    at org.openrewrite.Recipe.getDescriptor (Recipe.java:144)
   [...]
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:348)
    at org.codehaus.classworlds.Launcher.main (Launcher.java:47)
[WARNING] Unable to configure org.openrewrite.java.migrate.apache.commons.lang.ApacheCommonsStringUtilsRecipes
Unable to configure org.openrewrite.java.migrate.apache.commons.lang.ApacheCommonsStringUtilsRecipes

Found commit https://github.com/openrewrite/rewrite/commit/7ef3ffcb9d659eb57437ad47dce3ed474b719117 where related file AbstractRefasterJavaVisitor.java has been removed. So downgrading maven plugin to version 5.5.2 solves the issue.

Can you please fix the issue for current maven-plugin, too? That would be great. Thx

timtebeek commented 8 months ago

Hi @arburk ; thanks for the detailed report, and taking the time to find the associated commit. We've moved that class into rewrite-templating, such that it's closer to where it's used. You should no longer have any issue if you use our snapshot versions.

The next release should pick up compatible versions of all modules, in particular when you use the rewrite-recipe-bom. We expect to do another release in the next week or so.

Does that indeed resolve your issue?

arburk commented 8 months ago

Hi @timtebeek Thank your for your quick fix and reply. Just re-run with snapshot version 5.8.1-SNAPSHOT and the problem still persists with same exception.

knutwannheden commented 8 months ago

There was indeed a recent rewrite-recipe-bom release, but since no rewrite-migrate-java release went out in the past 3 weeks, that is the cause of this misalignment. We will make sure to fix this with new releases across the recipe repos.

arburk commented 8 months ago

Issue has been resolved with recent releases org.openrewrite.maven:rewrite-maven-plugin:5.9.1 and org.openrewrite.recipe:rewrite-java-security:2.0.6.