search

spring-projects / spring-boot

Spring Boot
https://spring.io/projects/spring-boot
Apache License 2.0
74.83k stars 40.61k forks source link

spring-boot-buildpack-platform depends on Jackson 1.14.2 #42602

Closed fmunch closed 2 hours ago

fmunch commented 2 hours ago

Right now spring-boot-buildpack-platform 3.3.4 depends on Jackson 2.14.2 instead of 2.17.2 like the rest of Spring Boot 3.3.4: https://central.sonatype.com/artifact/org.springframework.boot/spring-boot-buildpack-platform/3.3.4/dependencies

This seems weird, especially since this prevents from using the org.cyclonedx.bom plugin in version 1.10.0.

Sample project: https://github.com/fmunch/spring-boot-gradle-cyclonedx

When running gradle cyclonedxBom is generates the SBOM successfully since I forced the dependencies to 2.17.2. But if you remove both Jackson lines in buildSrc/build.gradle the task fails with:

java.lang.NoSuchMethodError: 'void com.fasterxml.jackson.core.base.GeneratorBase.<init>(int, com.fasterxml.jackson.core.ObjectCodec, com.fasterxml.jackson.core.io.IOContext)'

CycloneDX 1.10.0 uses Jackson 2.17.2.

Runtime classpath in buildSrc:

runtimeClasspath - Runtime classpath of source set 'main'.
+--- org.springframework.boot:spring-boot-gradle-plugin:3.3.4
|    +--- org.springframework.boot:spring-boot-buildpack-platform:3.3.4
|    |    +--- com.fasterxml.jackson.core:jackson-databind:2.14.2
...
|    |    +--- com.fasterxml.jackson.module:jackson-module-parameter-names:2.14.2
...
wilkinsona commented 2 hours ago

This is intentional as more recent versions of Jackson contain a multi-release jar file that contains byte code that causes versions of Gradle that we support to fail when they try to process it.

Typically, Gradle's version conflict resolution would upgrade Jackson to the latest of the requested versions. This isn't happening here because the dependencies are split across two separate class loaders. In other words this is a duplicate of #42601 as both projects have the same solution which is to depend on the CycloneDX plugin in buildSrc.

Here's a revision of the suggestion for #42601 that removes the Jackson dependencies as well:

diff --git a/buildSrc/build.gradle b/buildSrc/build.gradle
index 652faac..1e0a169 100644
--- a/buildSrc/build.gradle
+++ b/buildSrc/build.gradle
@@ -5,13 +5,11 @@ plugins {

 repositories {
     mavenCentral()
+    gradlePluginPortal()
 }

 dependencies {
-    // prevents spring-boot-buildpack-platform from pulling 2.14.2
-    implementation 'com.fasterxml.jackson.core:jackson-databind:2.17.2'
-    implementation 'com.fasterxml.jackson.module:jackson-module-parameter-names:2.17.2'
-
     implementation 'org.springframework.boot:spring-boot-gradle-plugin:3.3.4'
     implementation 'io.spring.gradle:dependency-management-plugin:1.1.6'
+    implementation 'org.cyclonedx:cyclonedx-gradle-plugin:1.10.0'
 }
diff --git a/server/build.gradle b/server/build.gradle
index 3990375..486d825 100644
--- a/server/build.gradle
+++ b/server/build.gradle
@@ -1,6 +1,6 @@
 plugins {
     id 'custom.spring'
-    id 'org.cyclonedx.bom' version '1.10.0'
+    id 'org.cyclonedx.bom'
 }

This works as expected:

$ ./gradlew --console=plain bootJar
Starting a Gradle Daemon (subsequent builds will be faster)
> Task :buildSrc:extractPluginRequests
> Task :buildSrc:generatePluginAdapters
> Task :buildSrc:compileJava
> Task :buildSrc:compileGroovy NO-SOURCE
> Task :buildSrc:compileGroovyPlugins
> Task :buildSrc:pluginDescriptors
> Task :buildSrc:processResources
> Task :buildSrc:classes
> Task :buildSrc:jar
> Task :server:compileJava
> Task :server:cyclonedxBom
> Task :server:processResources
> Task :server:classes
> Task :server:resolveMainClassName
> Task :server:bootJar

BUILD SUCCESSFUL in 12s
12 actionable tasks: 12 executed