search

spotbugs / spotbugs-gradle-plugin

https://plugins.gradle.org/plugin/com.github.spotbugs
Apache License 2.0
178 stars 67 forks source link

NoSuchMethodError due to wrong commons-lang3 version when using plugin #1197

Closed chadlwilson closed 2 months ago

chadlwilson commented 2 months ago

I'm not sure if this is an issue specific to the Gradle plugin but when using this plugin to install spotbugs Gradle seems to be resolving the wrong version of commons-lang3 due to a conflict between the version needed by BCEL 3.9.0 (needs 3.13.0+), the one spotbugs depends on directly, and the one that commons-text defaults to (3.12.0).

edu.umd.cs.findbugs.ba.AnalysisException: Exeption was thrown during analysis
        at edu.umd.cs.findbugs.FindBugs2.lambda$analyzeApplication$3(FindBugs2.java:1125)
        at java.base/java.util.ArrayList.forEach(ArrayList.java:1541)
        at edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1118)
        at edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:309)
        at edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:395)
        at edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1231)
Caused by: java.util.concurrent.ExecutionException: java.lang.NoSuchMethodError: 'java.util.stream.Stream org.apache.commons.lang3.stream.Streams.of(java.lang.Object[])'
        at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
        at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
        at edu.umd.cs.findbugs.FindBugs2.lambda$analyzeApplication$3(FindBugs2.java:1120)
        ... 5 more
Caused by: java.lang.NoSuchMethodError: 'java.util.stream.Stream org.apache.commons.lang3.stream.Streams.of(java.lang.Object[])'
        at org.apache.bcel.classfile.AnnotationEntry.createAnnotationEntries(AnnotationEntry.java:39)
        at org.apache.bcel.classfile.JavaClass.getAnnotationEntries(JavaClass.java:479)
        at edu.umd.cs.findbugs.BugInstance.addJavaAnnotationNames(BugInstance.java:2115)
        at edu.umd.cs.findbugs.BugInstance.add(BugInstance.java:2136)
        at edu.umd.cs.findbugs.BugInstance.addClass(BugInstance.java:958)
        at edu.umd.cs.findbugs.BugInstance.addClass(BugInstance.java:1016)
        at edu.umd.cs.findbugs.BugInstance.addClassAndMethod(BugInstance.java:851)
        at edu.umd.cs.findbugs.detect.EqualsOperandShouldHaveClassCompatibleWithThis.check(EqualsOperandShouldHaveClassCompatibleWithThis.java:124)
        at edu.umd.cs.findbugs.detect.EqualsOperandShouldHaveClassCompatibleWithThis.sawOpcode(EqualsOperandShouldHaveClassCompatibleWithThis.java:79)
        at edu.umd.cs.findbugs.visitclass.DismantleBytecode.visit(DismantleBytecode.java:885)
        at edu.umd.cs.findbugs.detect.EqualsOperandShouldHaveClassCompatibleWithThis.visit(EqualsOperandShouldHaveClassCompatibleWithThis.java:59)
        at edu.umd.cs.findbugs.visitclass.BetterVisitor.visitCode(BetterVisitor.java:218)
        at edu.umd.cs.findbugs.visitclass.PreorderVisitor.visitCode(PreorderVisitor.java:251)
        at edu.umd.cs.findbugs.bcel.OpcodeStackDetector.visitCode(OpcodeStackDetector.java:65)
        at org.apache.bcel.classfile.Code.accept(Code.java:145)
        at edu.umd.cs.findbugs.visitclass.PreorderVisitor.doVisitMethod(PreorderVisitor.java:323)
        at edu.umd.cs.findbugs.visitclass.PreorderVisitor.visitJavaClass(PreorderVisitor.java:405)
        at org.apache.bcel.classfile.JavaClass.accept(JavaClass.java:249)
        at edu.umd.cs.findbugs.BytecodeScanningDetector.visitClassContext(BytecodeScanningDetector.java:38)
        at edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:76)
        at edu.umd.cs.findbugs.FindBugs2.lambda$analyzeApplication$1(FindBugs2.java:1108)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at edu.umd.cs.findbugs.CurrentThreadExecutorService.execute(CurrentThreadExecutorService.java:86)
        at java.base/java.util.concurrent.AbstractExecutorService.invokeAll(AbstractExecutorService.java:242)
        ... 4 more

As you can see, Gradle is resolve it like the below (extracting the relevant bits)

spotbugs - configuration for the SpotBugs engine
\--- com.github.spotbugs:spotbugs:4.8.6

     +--- org.apache.bcel:bcel:6.9.0
     |    \--- org.apache.commons:commons-lang3:3.14.0 -> 3.12.0

     +--- org.apache.commons:commons-lang3:3.14.0 -> 3.12.0

     +--- org.apache.commons:commons-text:1.10.0
     |    \--- org.apache.commons:commons-lang3:3.12.0

The Spotbugs full distribution includes the correct version of commons-lang3 (3.14.0) so not sure what is going wrong here. Also could not figure out a workaround.

Gradle Version: 8.8 spotbugs-gradle-plugin version: 6.0.18

This actually seems like a Gradle bug or Gradle metadata problem, but it's rather odd. Any ideas?

Full resolution:

spotbugs - configuration for the SpotBugs engine
\--- com.github.spotbugs:spotbugs:4.8.6
     +--- jaxen:jaxen:2.0.0 -> 1.2.0
     +--- net.sf.saxon:Saxon-HE:12.4
     |    \--- org.xmlresolver:xmlresolver:5.2.2
     |         +--- org.apache.httpcomponents.client5:httpclient5:5.1.3 -> 5.1.4
     |         |    +--- org.apache.httpcomponents.core5:httpcore5:5.1.5
     |         |    +--- org.apache.httpcomponents.core5:httpcore5-h2:5.1.5
     |         |    |    \--- org.apache.httpcomponents.core5:httpcore5:5.1.5
     |         |    +--- org.slf4j:slf4j-api:1.7.25 -> 1.7.36
     |         |    \--- commons-codec:commons-codec:1.15
     |         \--- org.apache.httpcomponents.core5:httpcore5:5.1.3 -> 5.1.5
     +--- org.apache.logging.log4j:log4j-core:2.23.1 -> 2.17.2
     |    \--- org.apache.logging.log4j:log4j-api:2.17.2
     +--- org.ow2.asm:asm:9.7
     +--- org.ow2.asm:asm-analysis:9.7
     |    \--- org.ow2.asm:asm-tree:9.7
     |         \--- org.ow2.asm:asm:9.7
     +--- org.ow2.asm:asm-commons:9.7
     |    +--- org.ow2.asm:asm:9.7
     |    \--- org.ow2.asm:asm-tree:9.7 (*)
     +--- org.ow2.asm:asm-tree:9.7 (*)
     +--- org.ow2.asm:asm-util:9.7
     |    +--- org.ow2.asm:asm:9.7
     |    +--- org.ow2.asm:asm-tree:9.7 (*)
     |    \--- org.ow2.asm:asm-analysis:9.7 (*)
     +--- org.apache.bcel:bcel:6.9.0
     |    \--- org.apache.commons:commons-lang3:3.14.0 -> 3.12.0
     +--- com.github.stephenc.jcip:jcip-annotations:1.0-1
     +--- org.dom4j:dom4j:2.1.4
     +--- org.apache.commons:commons-lang3:3.14.0 -> 3.12.0
     +--- org.apache.commons:commons-text:1.10.0
     |    \--- org.apache.commons:commons-lang3:3.12.0
     +--- org.slf4j:slf4j-api:2.0.13 -> 1.7.36
     +--- com.github.spotbugs:spotbugs-annotations:4.8.6
     |    +--- com.google.code.findbugs:jsr305:3.0.2
     |    \--- org.apache.logging.log4j:log4j-core:{strictly [2.17.1, 3[} -> 2.17.2 (c)
     +--- com.google.code.gson:gson:2.11.0 -> 2.9.1
     \--- org.apache.logging.log4j:log4j-core:{strictly [2.17.1, 3[} -> 2.17.2 (c)
chadlwilson commented 2 months ago

Ignore, this was due to Spring Dependency Management Gradle plugin forcing a downgrade even within the spotbugs configuration.

hexagon-ecosys commented 1 month ago

For those wondering how this is done when using the Spring BOM plugin, see https://docs.spring.io/spring-boot/appendix/dependency-versions/properties.html#appendix.dependency-versions.properties

TLDR - Add this to your Gradle file:

ext['commons-lang3.version']='3.13.0'