java.lang.SecurityException: class "yD" on Corretto-11.0.15.9.1 with Log4jHotPatch

[ckuehne]

Running the wss-unified-agent.jar on Amazon Linux with Corretto-11.0.15.9.1 leads to the following exception

java.lang.SecurityException: class "yD"'s signer information does not match signer information of other classes in the same package
    at java.base/java.lang.ClassLoader.checkCerts(ClassLoader.java:1151)
...
org.whitesource.agent.dependency.resolver.js.npm.NpmAdditionalDependencies.getAnalysisModules(NpmAdditionalDependencies.java:77)
...

(Full Stacktrace below [1].)

In particular, this happens when the unified agent tries to scan npm Dependencies

npm.resolveDependencies=true
npm.resolveAdditionalDependencies=true

The root cause is, that the JVM distribution on Amazon Linux contains a Log4jHotPatch.jar with a Log4jHotPatch.class that is in the root package:

[10.993s][info][class,load] Log4jHotPatch source: file:/usr/share/log4j-cve-2021-44228-hotpatch/jdk11/Log4jHotPatch.jar

The (obsfucated) class 'yD' in the wss-unified-agent.jar is als in the root package.

The exception occurs because the two classes are from different jars (with different signers) but from the same package (root, i.e., no package).

[1] Full Stacktrace

DEBUG] [2022-05-05 16:57:17,470 +0200] - error: 
java.lang.SecurityException: class "yD"'s signer information does not match signer information of other classes in the same package
    at java.base/java.lang.ClassLoader.checkCerts(ClassLoader.java:1151)
    at java.base/java.lang.ClassLoader.preDefineClass(ClassLoader.java:906)
    at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1015)
    at java.base/java.security.SecureClassLoader.defineClass(SecureClassLoader.java:174)
    at java.base/jdk.internal.loader.BuiltinClassLoader.defineClass(BuiltinClassLoader.java:800)
    at java.base/jdk.internal.loader.BuiltinClassLoader.findClassOnClassPathOrNull(BuiltinClassLoader.java:698)
    at java.base/jdk.internal.loader.BuiltinClassLoader.loadClassOrNull(BuiltinClassLoader.java:621)
    at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:579)
    at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
    at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
    at whitesource.analysis.vulnerabilities.ExternalDependencyExecutor.<init>(Unknown Source)
    at org.whitesource.agent.dependency.resolver.js.npm.NpmAdditionalDependencies.getAnalysisModules(NpmAdditionalDependencies.java:77)
    at org.whitesource.agent.dependency.resolver.js.JSDependencyResolver.invokeAdditionalDependencies(JSDependencyResolver.java:520)
    at org.whitesource.agent.dependency.resolver.js.JSDependencyResolver.npmLsResolution(JSDependencyResolver.java:440)
    at org.whitesource.agent.dependency.resolver.js.JSDependencyResolver.invokeNpm(JSDependencyResolver.java:391)
    at org.whitesource.agent.dependency.resolver.js.JSDependencyResolver.resolve(JSDependencyResolver.java:281)
    at org.whitesource.agent.dependency.resolver.js.JSDependencyResolver.resolveDependencies(JSDependencyResolver.java:214)
    at org.whitesource.agent.dependency.resolver.DependencyResolutionService.resolveDependenciesOfResolver(DependencyResolutionService.java:380)
    at org.whitesource.agent.dependency.resolver.DependencyResolutionService.resolveDependencies(DependencyResolutionService.java:206)
    at org.whitesource.agent.FileSystemScanner.createProjects(FileSystemScanner.java:409)
    at org.whitesource.fs.scanOrigins.GeneralScanOrigin.getProjects(GeneralScanOrigin.java:194)
    at org.whitesource.fs.scanOrigins.GeneralScanOrigin.scan(GeneralScanOrigin.java:101)
    at org.whitesource.fs.scanOrigins.ScanOrigin.runOriginScan(ScanOrigin.java:36)
    at org.whitesource.fs.FileSystemAgent.createProjects(FileSystemAgent.java:165)
    at org.whitesource.fs.Main.scanProjects(Main.java:116)
    at org.whitesource.fs.Main.main(Main.java:91)

[LenaKleyner]

Hi @ckuehne , this was addressed in the latest release of the Unified Agent (version 22.4.1.1). If for some reason the issue still persists, please open a ticket in our support portal with all the relevant information (the Unified Agent execution command, its settings, and the output log)?

Thanks,

Lena

[ckuehne]

The latest Unified Agent version does indeed solve the problem.