Paper 1.18.2 /tomap error "CraftItem failed"

[ZerpCraft]

Plugin version is 4.2.2 Command run: /tomap https://i.imgur.com/hfn0QMe.png Other notes: After the error, the item frames turn invisible. Screenshot attached. Notice in the screenshot that on the right hand side the readout says I'm still looking at an Item_frame [entity.]

Stack Trace:

fr.zcraft.imageonmap.quartzlib.tools.reflection.NMSException: Cannot set item stack tags
INFO at fr.zcraft.imageonmap.quartzlib.components.nbt.NBT.addToItemStack(NBT.java:241) ~[ImageOnMap-4.2.2.jar:?]
INFO at fr.zcraft.imageonmap.quartzlib.tools.items.ItemStackBuilder.craftItem(ItemStackBuilder.java:264) ~[ImageOnMap-4.2.2.jar:?]
INFO at fr.moribus.imageonmap.ui.SplatterMapManager.lambda$placeSplatterMap$1(SplatterMapManager.java:311) ~[ImageOnMap-4.2.2.jar:?]
INFO at org.bukkit.craftbukkit.v1_18_R2.scheduler.CraftTask.run(CraftTask.java:101) ~[paper-1.18.2.jar:git-Paper-224]
INFO at org.bukkit.craftbukkit.v1_18_R2.scheduler.CraftScheduler.mainThreadHeartbeat(CraftScheduler.java:483) ~[paper-1.18.2.jar:git-Paper-224]
INFO at net.minecraft.server.MinecraftServer.tickChildren(MinecraftServer.java:1521) ~[paper-1.18.2.jar:git-Paper-224]
INFO at net.minecraft.server.dedicated.DedicatedServer.tickChildren(DedicatedServer.java:483) ~[paper-1.18.2.jar:git-Paper-224]
INFO at net.minecraft.server.MinecraftServer.tickServer(MinecraftServer.java:1444) ~[paper-1.18.2.jar:git-Paper-224]
INFO at net.minecraft.server.MinecraftServer.runServer(MinecraftServer.java:1218) ~[paper-1.18.2.jar:git-Paper-224]
INFO at net.minecraft.server.MinecraftServer.lambda$spin$0(MinecraftServer.java:317) ~[paper-1.18.2.jar:git-Paper-224]
INFO at java.lang.Thread.run(Thread.java:833) ~[?:?]
INFO Caused by: fr.zcraft.imageonmap.quartzlib.tools.reflection.NMSException: Unable to retrieve NBT data
INFO at fr.zcraft.imageonmap.quartzlib.components.nbt.NBT.fromItemStack(NBT.java:77) ~[ImageOnMap-4.2.2.jar:?]
INFO at fr.zcraft.imageonmap.quartzlib.components.nbt.NBT.addToItemStack(NBT.java:211) ~[ImageOnMap-4.2.2.jar:?]
INFO ... 10 more

[ZerpCraft]

Update: I believe QuartzLib NBT.java is the problem. Line 309

try { Object tagCompound; try { //1.18 tagCompound = Reflection.call(mcItemStack.getClass(), mcItemStack, "t"); } catch (Exception e) { //1.17 try { tagCompound = Reflection.call(mcItemStack.getClass(), mcItemStack, "getTag"); } catch (Exception e2) { tagCompound = Reflection.call(mcItemStack.getClass(), mcItemStack, "a"); } }

        if (tagCompound == null) {
            tagCompound = Reflection.instantiate(MC_NBT_TAG_COMPOUND);
            Reflection.call(MC_ITEM_STACK, mcItemStack, "setTag", tagCompound);
        }
        return tagCompound;

    } catch (Exception exc) {
        //Older method
        try {
            Object tag = Reflection.getFieldValue(MC_ITEM_STACK, mcItemStack, "tag");

            if (tag == null) {
                tag = Reflection.instantiate(MC_NBT_TAG_COMPOUND);

                try {
                    Reflection.call(MC_ITEM_STACK, mcItemStack, "setTag", tag);
                } catch (NoSuchMethodException e) {
                    // If the set method change—more resilient,
                    // as the setTag will only update the field without any kind of callback.
                    Reflection.setFieldValue(MC_ITEM_STACK, mcItemStack, "tag", tag);
                }
            }

            return tag;
        } catch (Exception ex) {
            throw new NMSException("Unable to retrieve NBT tag from item", ex);
        }
    }

I believe this call is no longer working, but haven't figured out why yet. Comments suggest that his was added for 1.18, so maybe something has changed again? tagCompound = Reflection.call(mcItemStack.getClass(), mcItemStack, "t");

[ZerpCraft]

Ok, that line was a bit of a red herring. Now I'm thinking it's this line: Reflection.call(MC_ITEM_STACK, mcItemStack, "setTag", tagCompound);

Throwing: [11:47:23 WARN]: java.lang.NoSuchMethodException: net.minecraft.world.item.ItemStack.setTag(net.minecraft.nbt.NBTTagCompound) [11:47:23 WARN]: at java.base/java.lang.Class.getDeclaredMethod(Class.java:2675) [11:47:23 WARN]: at ImageOnMap-4.2.2.jar//fr.zcraft.imageonmap.quartzlib.tools.reflection.Reflection.call(Reflection.java:317) [11:47:23 WARN]: at ImageOnMap-4.2.2.jar//fr.zcraft.imageonmap.quartzlib.components.nbt.NBT.getMcNBTCompound(NBT.java:324) [11:47:23 WARN]: at ImageOnMap-4.2.2.jar//fr.zcraft.imageonmap.quartzlib.components.nbt.NBT.fromItemStack(NBT.java:76) [11:47:23 WARN]: at ImageOnMap-4.2.2.jar//fr.zcraft.imageonmap.quartzlib.components.nbt.NBT.addToItemStack(NBT.java:215) [11:47:23 WARN]: at ImageOnMap-4.2.2.jar//fr.zcraft.imageonmap.quartzlib.tools.items.ItemStackBuilder.craftItem(ItemStackBuilder.java:264) [11:47:23 WARN]: at ImageOnMap-4.2.2.jar//fr.moribus.imageonmap.ui.SplatterMapManager.lambda$placeSplatterMap$1(SplatterMapManager.java:313) [11:47:23 WARN]: at org.bukkit.craftbukkit.v1_18_R2.scheduler.CraftTask.run(CraftTask.java:101) [11:47:23 WARN]: at org.bukkit.craftbukkit.v1_18_R2.scheduler.CraftScheduler.mainThreadHeartbeat(CraftScheduler.java:483) [11:47:23 WARN]: at net.minecraft.server.MinecraftServer.b(MinecraftServer.java:1521) [11:47:23 WARN]: at net.minecraft.server.dedicated.DedicatedServer.b(DedicatedServer.java:483) [11:47:23 WARN]: at net.minecraft.server.MinecraftServer.a(MinecraftServer.java:1444) [11:47:23 WARN]: at net.minecraft.server.MinecraftServer.w(MinecraftServer.java:1218) [11:47:23 WARN]: at net.minecraft.server.MinecraftServer.lambda$spin$0(MinecraftServer.java:317) [11:47:23 WARN]: at java.base/java.lang.Thread.run(Thread.java:833) [11:47:23 WARN]: fr.zcraft.imageonmap.quartzlib.tools.reflection.NMSException: Unable to retrieve NBT data [11:47:23 WARN]: at ImageOnMap-4.2.2.jar//fr.zcraft.imageonmap.quartzlib.components.nbt.NBT.fromItemStack(NBT.java:78) [11:47:23 WARN]: at ImageOnMap-4.2.2.jar//fr.zcraft.imageonmap.quartzlib.components.nbt.NBT.addToItemStack(NBT.java:215) [11:47:23 WARN]: at ImageOnMap-4.2.2.jar//fr.zcraft.imageonmap.quartzlib.tools.items.ItemStackBuilder.craftItem(ItemStackBuilder.java:264) [11:47:23 WARN]: at ImageOnMap-4.2.2.jar//fr.moribus.imageonmap.ui.SplatterMapManager.lambda$placeSplatterMap$1(SplatterMapManager.java:313) [11:47:23 WARN]: at org.bukkit.craftbukkit.v1_18_R2.scheduler.CraftTask.run(CraftTask.java:101) [11:47:23 WARN]: at org.bukkit.craftbukkit.v1_18_R2.scheduler.CraftScheduler.mainThreadHeartbeat(CraftScheduler.java:483) [11:47:23 WARN]: at net.minecraft.server.MinecraftServer.b(MinecraftServer.java:1521) [11:47:23 WARN]: at net.minecraft.server.dedicated.DedicatedServer.b(DedicatedServer.java:483) [11:47:23 WARN]: at net.minecraft.server.MinecraftServer.a(MinecraftServer.java:1444) [11:47:23 WARN]: at net.minecraft.server.MinecraftServer.w(MinecraftServer.java:1218) [11:47:23 WARN]: at net.minecraft.server.MinecraftServer.lambda$spin$0(MinecraftServer.java:317) [11:47:23 WARN]: at java.base/java.lang.Thread.run(Thread.java:833) [11:47:23 WARN]: Caused by: fr.zcraft.imageonmap.quartzlib.tools.reflection.NMSException: Unable to retrieve NBT tag from item [11:47:23 WARN]: at ImageOnMap-4.2.2.jar//fr.zcraft.imageonmap.quartzlib.components.nbt.NBT.getMcNBTCompound(NBT.java:348) [11:47:23 WARN]: at ImageOnMap-4.2.2.jar//fr.zcraft.imageonmap.quartzlib.components.nbt.NBT.fromItemStack(NBT.java:76) [11:47:23 WARN]: ... 11 more [11:47:23 WARN]: Caused by: java.lang.NoSuchFieldException: tag [11:47:23 WARN]: at java.base/java.lang.Class.getDeclaredField(Class.java:2610) [11:47:23 WARN]: at ImageOnMap-4.2.2.jar//fr.zcraft.imageonmap.quartzlib.tools.reflection.Reflection.getField(Reflection.java:170) [11:47:23 WARN]: at ImageOnMap-4.2.2.jar//fr.zcraft.imageonmap.quartzlib.tools.reflection.Reflection.getFieldValue(Reflection.java:137) [11:47:23 WARN]: at ImageOnMap-4.2.2.jar//fr.zcraft.imageonmap.quartzlib.components.nbt.NBT.getMcNBTCompound(NBT.java:332) [11:47:23 WARN]: ... 12 more [11:47:23 WARN]: [ImageOnMap] CraftItem failed

[ZerpCraft]

Who knew I'd be learning so much today! So it seems the Reflections class is what's used to reference internal Minecraft classes? And on new version releases the class might be disappear or be changed to something else? So I need to find what the new class is I think.

[AmauryCarrade]

Yeah I think that's the problem indeed. Minecraft is changing internal classes names used to handle NBT data. We need either to find the new classes, or find a better way to handle the need to identify imageonmap maps without altering NBT data.

[AmauryCarrade]

Some effort in QuartzLib were started by @Vlammar, but are not done yet due to… our indisponibilities.

[ZerpCraft]

Fixed it. tagCompound = Reflection.call(mcItemStack.getClass(), mcItemStack, "t"); The "t" needs to change to a "u" for 1.18.2

[AmauryCarrade]

cc @Vlammar

[Vlammar]

The "t" needs to change to a "u" for 1.18.2

that's really a pain that they change for every version those damn method name

[CobaltBlue07]

sooo is the plugin gonna be updated? having this same issue on my server

[AmauryCarrade]

Feel free to contribute if you want to speed things up. I don't have free time to work on IoM these days, sorry.

[J-eremy]

Fixed it. tagCompound = Reflection.call(mcItemStack.getClass(), mcItemStack, "t"); The "t" needs to change to a "u" for 1.18.2

I can confirm. I downloaded the source to both ImageOnMap and Quartzlib, changed that one character from "t" to "u", recompiled and installed the Quartzlib package locally and then re-built ImageOnMap and it works fine now.

The old frames were left invisible where I put them originally and I had to break them to lay out a new grid. A decent temporary fix. Great plugin by the way, hope everyone is well.

Also, the version number is mislabeled in the pom file for the master branch. Everything says 0.0.6 except the pom, which is still saying 0.0.5

[ZeroBelowZero]

Fixed it. tagCompound = Reflection.call(mcItemStack.getClass(), mcItemStack, "t"); The "t" needs to change to a "u" for 1.18.2

I can confirm. I downloaded the source to both ImageOnMap and Quartzlib, changed that one character from "t" to "u", recompiled and installed the Quartzlib package locally and then re-built ImageOnMap and it works fine now.

The old frames were left invisible where I put them originally and I had to break them to lay out a new grid. A decent temporary fix. Great plugin by the way, hope everyone is well.

Also, the version number is mislabeled in the pom file for the master branch. Everything says 0.0.6 except the pom, which is still saying 0.0.5

Any tutorial on how to do this?

[J-eremy]

Fixed it. tagCompound = Reflection.call(mcItemStack.getClass(), mcItemStack, "t"); The "t" needs to change to a "u" for 1.18.2

I can confirm. I downloaded the source to both ImageOnMap and Quartzlib, changed that one character from "t" to "u", recompiled and installed the Quartzlib package locally and then re-built ImageOnMap and it works fine now. The old frames were left invisible where I put them originally and I had to break them to lay out a new grid. A decent temporary fix. Great plugin by the way, hope everyone is well. Also, the version number is mislabeled in the pom file for the master branch. Everything says 0.0.6 except the pom, which is still saying 0.0.5

Any tutorial on how to do this?

I would really wait for an official fix if I were you unless you already have an environment set up to build and compile the source. The fix is easy, but setting up the environment to compile and repackage is out of the scope of this thread.

The issue in compatibility is actually in Quartzlib, the library that that is included and built along side of the plugin, inside the jar not any of the code in the plugin itself if that makes any sense. The issue is, while it fixes it for 1.18.2, it breaks it for 1.18.1 etc etc.

Ill attach the jar I built, but you probably shouldn't be all willy nilly using any jar you stumble across on the internet. As there is plenty of room for malicious intent. If the developers don't want this file here feel free to delete it.

LINK REMOVED DUE TO SUSPICION OF INFECTED JAR The second there is an official update, make sure to use the official release, as I'm sure other stuff will be changed

[ZeroBelowZero]

Fixed it. tagCompound = Reflection.call(mcItemStack.getClass(), mcItemStack, "t"); The "t" needs to change to a "u" for 1.18.2

I can confirm. I downloaded the source to both ImageOnMap and Quartzlib, changed that one character from "t" to "u", recompiled and installed the Quartzlib package locally and then re-built ImageOnMap and it works fine now. The old frames were left invisible where I put them originally and I had to break them to lay out a new grid. A decent temporary fix. Great plugin by the way, hope everyone is well. Also, the version number is mislabeled in the pom file for the master branch. Everything says 0.0.6 except the pom, which is still saying 0.0.5

Any tutorial on how to do this?

I would really wait for an official fix if I were you unless you already have an environment set up to build and compile the source. The fix is easy, but setting up the environment to compile and repackage is out of the scope of this thread.

The issue in compatibility is actually in Quartzlib, the library that that is included and built along side of the plugin, inside the jar not any of the code in the plugin itself if that makes any sense. The issue is, while it fixes it for 1.18.2, it breaks it for 1.18.1 etc etc.

Ill attach the jar I built, but you probably shouldn't be all willy nilly using any jar you stumble across on the internet. As there is plenty of room for malicious intent. If the developers don't want this file here feel free to delete it.

LINK REMOVED DUE TO SUSPICION OF INFECTED JAR The second there is an official update, make sure to use the official release, as I'm sure other stuff will be changed

Awesome! Thanks so much.

[CobaltBlue07]

@J-eremy according to my server provider after installing that fixed jar all my plugin jars got infected and i had to remove and reinstall all of them

[J-eremy]

@J-eremy according to my server provider after installing that fixed jar all my plugin jars got infected and i had to remove and reinstall all of them

Its definitely not from my jar. I literally only changed that one character in the lib. You might want to look at all your other jars before you go any further.

[Tanguygab]

I used your jar and it works completely fine for me, (thank you so much =)) didn't get any infected files or anything, though I did get quite a lot of temp files in my plugins folder, like, a lot... and I don't remember it being the case with the original version. Not sure if it's something you can fix, though it's not very important, just a bit annoying that I have to clear it all up everytime 😅

[CobaltBlue07]

@J-eremy according to my server provider after installing that fixed jar all my plugin jars got infected and i had to remove and reinstall all of them

Its definitely not from my jar. I literally only changed that one character in the lib. You might want to look at all your other jars before you go any further.

this is what i thought so thats why i said according to my server provider... i think they are trying to money-grab things in order for me to pay more sadly.. last year they told me that my ram wasnt enough and my server was running out of performance (5gb ram for a 3 person server lmao) i just wanted to assure myself by saying it to you thank you again

[J-eremy]

I used your jar and it works completely fine for me, (thank you so much =)) didn't get any infected files or anything, though I did get quite a lot of temp files in my plugins folder, like, a lot... and I don't remember it being the case with the original version. Not sure if it's something you can fix, though it's not very important, just a bit annoying that I have to clear it all up everytime 😅

That's weird I don't have any if that in my folder. you did extract the zip file so its the actual .jar in the plugins folder right? github made me zip it. I did just re-download what I uploaded and the hashes are the same, feel free to download a hashing tool to make sure we are both using the same file.

@J-eremy according to my server provider after installing that fixed jar all my plugin jars got infected and i had to remove and reinstall all of them

Its definitely not from my jar. I literally only changed that one character in the lib. You might want to look at all your other jars before you go any further.

this is what i thought so thats why i said according to my server provider... i think they are trying to money-grab things in order for me to pay more sadly.. last year they told me that my ram wasnt enough and my server was running out of performance (5gb ram for a 3 person server lmao) i just wanted to assure myself by saying it to you thank you again

Yea that's not good. Sounds like a company I wouldn't want to work with. 5gb of ram is damn good for a small server, unless you are running every plugin known to man. Im also not sure if its even possible to have one jar effect other jars on the server, I could be wrong but i always assumed it could just mess up your whole world or give randoms access to what they shouldnt. If someone knows if a jar has write access to that folder after being loaded into memory please fill me in, because I am in no way a java programmer lol. @ZerpCraft is the real MVP here, I just applied his findings.

[Tanguygab]

github made me zip it. I did just re-download what I uploaded and the hashes are the same, feel free to download a hashing tool to make sure we are both using the same file.

no idea, I tried the jar you sent and yeah I do have the ImageOnMap.jar file in my plugins folder, it's just that everytime the plugin loads, it creates those temp files, not sure what I did wrong x)

[J-eremy]

github made me zip it. I did just re-download what I uploaded and the hashes are the same, feel free to download a hashing tool to make sure we are both using the same file.

no idea, I tried the jar you sent and yeah I do have the ImageOnMap.jar file in my plugins folder, it's just that everytime the plugin loads, it creates those temp files, not sure what I did wrong x)

The only thing I seemed to find when I searched for that filename is something about fabric. Are you using a mod-loader like fabric or forge or are you using it with just the standard plugin stuff. I'm using paperMC as the server jar and letting it load plugins the normal way, no forge or fabric or any of that funny business. Try just spinning up a vanilla flavor of bukkit and see if those files are generated. I have personally never seen the plugin folder fill up like that. https://papermc.io/ thats the server Im using.

[Tanguygab]

paper as well, tried the latest dev build earlier

[FrecciaTricolore]

@J-eremy The jar is indeed infected. Decompiling it shows the javassist package.

This is why you ALWAYS wait for official fixes. Problem is, this ended on the Bukkit.org page. Users should be informed.

Those who run it will need to clear the server folder from any jar file.

Now, if someone can understand what it did other than spreading itself, that'd be nice...

[CobaltBlue07]

oh wow... i guess it wasnt my server provider trying to money grab me good thing i removed the jar after this happened and never reinstalled

[AmauryCarrade]

I removed the links just to be sure. (I kept it on my side.)

If you want to contribute, instead of sharing links like this, open pull requests! Code will be visible to everyone and thinks like this are very unlikely to happen.

[J-eremy]

@J-eremy The jar is indeed infected. Decompiling it shows the javassist package.

This is why you ALWAYS wait for official fixes. Problem is, this ended on the Bukkit.org page. Users should be informed.

Those who run it will need to clear the server folder from any jar file.

Now, if someone can understand what it did other than spreading itself, that'd be nice...

What you are showing is not de-compiling it is just opening the jar as an archive. I compiled the jar the normal way with maven. Nothing was changed in the source for this plugin as the issue is with the library it uses not the code for the plugin itself and when I modified it I also did a PR for that repo.

I'm not a java programmer by far, I just know how to recompile things after small changes, as far as I can tell javassist is a library that must have been needed to compile the software and find no information on the internet saying its malicious in any way. Someone more knowledgeable than me please chime in.

If you go look at the PR's for Quartzlib you will see my pull request for what I changed.

All I can really say is what I already said, if your paranoid don't use it, wait until it is officially released. If you do use it make sure that your file has the same hash as the one I uploaded. But again, I don't see any signs of my file being infected in any way, nor do I appreciate being accused of distributing a malicious file. But on the other hand if it is actually found to be a problem then someone should really inspect upstream because I just cloned the git repositories and that would mean the problem is bigger than just this situation.

[J-eremy]

There is an issue, I just re-compiled from upstream with a fresh pull the character fix and there is no javassist folder being generated in the jar. I don't know exactly whats going on. I'm going to leave this up to the people that actually know what they are doing as I can tinker but am not a programmer. Two mvn packages run the same way shouldn't output different artifacts.

[FrecciaTricolore]

@J-eremy look at your jars, in the picture you sent, each of your plugins weighs double what it should. CMI 5,448 KB, Luckperms 3,123 KB. It' impossible. They are all infected.

[FrecciaTricolore]

AuthMe weighs 7 MB, your 14 MB

[synrg]

As for javassist being "just a library", yeah, a library that generates bytecode on the fly and rewrites classes ... which sounds perfect if you want to craft an exploit payload.

[FrecciaTricolore]

Exactly

[J-eremy]

AuthMe weighs 7 MB, your 14 MB

You are correct there was an infection from somewhere, the build server at codemc.io for authme reports a different size file tho for the snapshot. but the size is still off.

I have wiped all plugins and re-downloaded and reinstalled all plugins from their corresponding distribution places and everything now seems normal again. Including the fresh recompile of this add-on with modified library. All-tho to compile Quartzlib you have to skip tests for some reason as it fails.

This is a serious problem, and Im most likely going to be spending most of my day trying to track down exactly what happened, and where whatever that was came from. There are too many moving parts.

[J-eremy]

Well it works now, what a mess. .

If anyone is trying to compile Quartzlib, you have to do it with mvn package -DskipTests

[synrg]

By the way, I guess you're still looking for how this happened, since you didn't follow up here about that yet. Any chance you had (or still have) a plugin with old, unpatched Log4J on a publicly-accessible MC server on the same system where you did the build?

[J-eremy]

By the way, I guess you're still looking for how this happened, since you didn't follow up here about that yet. Any chance you had (or still have) a plugin with old, unpatched Log4J on a publicly-accessible MC server on the same system where you did the build?

Its looking like the build process wasn't the issue, the issue seemed to happen when I installed the plugin that I built from source to my server to test it.

I went back through my snapshots and it looks like some time between the upgrade from 1.18.1 to 1.18.2 the server was infected by a malicious plugin, or a nightly of a plugin and took over without me knowing it, when I tested it, it must have infected the jar that I built and that was what I uploaded.

I tend to stay bleeding edge, because its a personal minecraft server thats really just for me and my girlfriend with occasionally my friends kids so its not mission critical. I'm pretty liberal with updates, throw them in and look for errors in the console type situation.

My servers are all publicly accessible running in offline mode with authme-reloaded behind a bungee proxy on my proxmox hypervisor with ubuntu 20.04 servers running the Cubecoderz AMP game manager. I compiled the jar with maven on my windows 11 machine. Im not a programmer, I am just learning but there are so many moving parts when it comes to this I couldnt possibly say if a plugin was running unpatched Log4J.

Just from compiling Quartzlib and Imageonmap my fresh .m2 folder looks like this

I'm not sure how anyone can keep up with all the security issues on that many dependencies for a 450k file.

I have literally added every plugin back to my server one by one, and watched and checked the hashes of them each time I rebooted it, I'm even considering making all the jar files used read only at this point. Why does the minecraft server even have write access to those files? That in itself seems like a security risk to me.

Sorry for the long rant, and if my jar file affected any of you in a negative way I'm sorry, I wasn't going to upload the jar initially because uploading binaries is bad overall as practice, I know, but there is some finagling to compile it because of Quartzlib not only erroring out during the pre compile tests, but also packaging as 0.0.5 instead of 0.0.6 and having to be installed in the local maven repo before compiling Imageonmap. Which I figured was above a lot of peoples head, even mine until I figured it out.

[synrg]

I'm not sure how anyone can keep up with all the security issues on that many dependencies for a 450k file.

That's where the Java devs here will have to fill you in. Other package managers I'm familiar with automatically audit when you install the dependencies and will flag any issues (and even offer to fix them for you if upgrading the deps does not introduce breaking changes). Of course, it's up to you to check the output of the build and make sure there aren't any such issues before releasing anything (ideally with a build toolchain that refuses to publish a release if any of those checks fail!)

[J-eremy]

I'm not sure how anyone can keep up with all the security issues on that many dependencies for a 450k file.

That's where the Java devs here will have to fill you in. Other package managers I'm familiar with automatically audit when you install the dependencies and will flag any issues (and even offer to fix them for you if upgrading the deps does not introduce breaking changes). Of course, it's up to you to check the output of the build and make sure there aren't any such issues before releasing anything (ideally with a build toolchain that refuses to publish a release if any of those checks fail!)

Honestly, there is a bigger issue at hand. This situation has really opened my eyes to a side of development I have never thought of. I may be wrong, but its clear to me personally that the entire system being used behind the scenes is too fragmented to actually be secure in any meaningful way. I know next to nothing about java coding, but lets say I was a complete genius and understood every line of code. In order to make sure this plugin was secure, I would have to go through all the code of 30+ dependencies at any given moment in time to make sure it was all kosher. My other option is blind trust, which I clearly wont do at all anymore.

I have done some research into the nasty side of this today, and what kept showing up was something called node-ipc, and the developer of that one package sabotaged it to do malicious things unbeknownst to probably 90% of the other systems that relied on it. Clearly there is a bigger problem in the development sphere as a whole brewing which has the potential to cause a lot more problems than messing up someones minecraft server.

The devs dont have to fill me in, there is honestly nothing anyone can say to rationalize the fact that something as simple as a 450k plugin for a minecraft server relies on more than 30 dependencies of which there is no control over could be anything but a ticking time bomb. You would have to hire a team of developers to check everything every time there is an update, and even then its a crap shoot. Then, take into account what these massive projects must go through. wow.

That being said, this is still a great plugin, but my days of compiling from source for other people are over. Especially for things like minecraft where every update they break compatibility and or change something drastically. Im just not comfortable being responsible for other peoples systems because of the possibility of some shady developer out of a large group somewhere that just wants to be a dick.

On a side note, do you have any idea why Quartzlib not only fails to build without skipping tests, but also compiles as 0.0.5 instead of the 0.0.6 as downloaded? The process I used to compile looks something like this.

• download source or git clone quartzlib 0.0.6
• download source or git clone imageonmap
• modify that one character in quartzlib
• package quartzlib using mvn package -DskipTests <------- without the skip test it fails to build. lots of "SEVERE: Failed to load Tag" errors
• rename quarzlib artifact from 0.0.5 jar to 0.0.6 jar and install into local maven repo <----- build outputs a file called "quartzlib-0.0.5-SNAPSHOT" even tho its the 0.0.6 source.
• package imageonmap jar using mvn package
• copy imageonmap jar to plugins directory of minecraft server and test.

There are 62 of these errors, which seem to be a seperate issue with yet another framework called mockbucket. Either Quartzlib or mockbucket seems to be missing tags for new blocks I'm guessing.

The result is a working Imageonmap plugin in the end tho.

[Gfortes985]

Does anyone have a fix build for this error?

[OoLunar]

Fixed it. tagCompound = Reflection.call(mcItemStack.getClass(), mcItemStack, "t"); The "t" needs to change to a "u" for 1.18.2

Which line was this on? Going to be opening up a PR and do minimal testing my side

EDIT: Found out the post above mine has the instructions. Go to school and learn to read kids.

[J-eremy]

Fixed it. tagCompound = Reflection.call(mcItemStack.getClass(), mcItemStack, "t"); The "t" needs to change to a "u" for 1.18.2

Which line was this on? Going to be opening up a PR and do minimal testing my side

EDIT: Found out the post above mine has the instructions. Go to school and learn to read kids.

I opened a pr at quartzlib already a while ago, and since then someone actually did it right in another PR making it work with not only 1.18.2 but also lower versions. The issue isn't technically with this plug in itself, it's the library it relies on, and is built with that has the compatibility issue.

[synrg]

This one, I guess: zDevelopers/QuartzLib/pull/87

[Gfortes985]

I'm not sure how anyone can keep up with all the security issues on that many dependencies for a 450k file.

That's where the Java devs here will have to fill you in. Other package managers I'm familiar with automatically audit when you install the dependencies and will flag any issues (and even offer to fix them for you if upgrading the deps does not introduce breaking changes). Of course, it's up to you to check the output of the build and make sure there aren't any such issues before releasing anything (ideally with a build toolchain that refuses to publish a release if any of those checks fail!)

Honestly, there is a bigger issue at hand. This situation has really opened my eyes to a side of development I have never thought of. I may be wrong, but its clear to me personally that the entire system being used behind the scenes is too fragmented to actually be secure in any meaningful way. I know next to nothing about java coding, but lets say I was a complete genius and understood every line of code. In order to make sure this plugin was secure, I would have to go through all the code of 30+ dependencies at any given moment in time to make sure it was all kosher. My other option is blind trust, which I clearly wont do at all anymore.

I have done some research into the nasty side of this today, and what kept showing up was something called node-ipc, and the developer of that one package sabotaged it to do malicious things unbeknownst to probably 90% of the other systems that relied on it. Clearly there is a bigger problem in the development sphere as a whole brewing which has the potential to cause a lot more problems than messing up someones minecraft server.

The devs dont have to fill me in, there is honestly nothing anyone can say to rationalize the fact that something as simple as a 450k plugin for a minecraft server relies on more than 30 dependencies of which there is no control over could be anything but a ticking time bomb. You would have to hire a team of developers to check everything every time there is an update, and even then its a crap shoot. Then, take into account what these massive projects must go through. wow.

That being said, this is still a great plugin, but my days of compiling from source for other people are over. Especially for things like minecraft where every update they break compatibility and or change something drastically. Im just not comfortable being responsible for other peoples systems because of the possibility of some shady developer out of a large group somewhere that just wants to be a dick.

On a side note, do you have any idea why Quartzlib not only fails to build without skipping tests, but also compiles as 0.0.5 instead of the 0.0.6 as downloaded? The process I used to compile looks something like this.

• download source or git clone quartzlib 0.0.6
• download source or git clone imageonmap
• modify that one character in quartzlib
• package quartzlib using mvn package -DskipTests <------- without the skip test it fails to build. lots of "SEVERE: Failed to load Tag" errors
• rename quarzlib artifact from 0.0.5 jar to 0.0.6 jar and install into local maven repo <----- build outputs a file called "quartzlib-0.0.5-SNAPSHOT" even tho its the 0.0.6 source.
• package imageonmap jar using mvn package
• copy imageonmap jar to plugins directory of minecraft server and test.

There are 62 of these errors, which seem to be a seperate issue with yet another framework called mockbucket. Either Quartzlib or mockbucket seems to be missing tags for new blocks I'm guessing.

The result is a working Imageonmap plugin in the end tho.

how to put jar of quartz library in local repo, i don't know how to do it because i never used maven

[J-eremy]

I'm not sure how anyone can keep up with all the security issues on that many dependencies for a 450k file.

That's where the Java devs here will have to fill you in. Other package managers I'm familiar with automatically audit when you install the dependencies and will flag any issues (and even offer to fix them for you if upgrading the deps does not introduce breaking changes). Of course, it's up to you to check the output of the build and make sure there aren't any such issues before releasing anything (ideally with a build toolchain that refuses to publish a release if any of those checks fail!)

Honestly, there is a bigger issue at hand. This situation has really opened my eyes to a side of development I have never thought of. I may be wrong, but its clear to me personally that the entire system being used behind the scenes is too fragmented to actually be secure in any meaningful way. I know next to nothing about java coding, but lets say I was a complete genius and understood every line of code. In order to make sure this plugin was secure, I would have to go through all the code of 30+ dependencies at any given moment in time to make sure it was all kosher. My other option is blind trust, which I clearly wont do at all anymore. I have done some research into the nasty side of this today, and what kept showing up was something called node-ipc, and the developer of that one package sabotaged it to do malicious things unbeknownst to probably 90% of the other systems that relied on it. Clearly there is a bigger problem in the development sphere as a whole brewing which has the potential to cause a lot more problems than messing up someones minecraft server. The devs dont have to fill me in, there is honestly nothing anyone can say to rationalize the fact that something as simple as a 450k plugin for a minecraft server relies on more than 30 dependencies of which there is no control over could be anything but a ticking time bomb. You would have to hire a team of developers to check everything every time there is an update, and even then its a crap shoot. Then, take into account what these massive projects must go through. wow. That being said, this is still a great plugin, but my days of compiling from source for other people are over. Especially for things like minecraft where every update they break compatibility and or change something drastically. Im just not comfortable being responsible for other peoples systems because of the possibility of some shady developer out of a large group somewhere that just wants to be a dick. On a side note, do you have any idea why Quartzlib not only fails to build without skipping tests, but also compiles as 0.0.5 instead of the 0.0.6 as downloaded? The process I used to compile looks something like this.

• download source or git clone quartzlib 0.0.6
• download source or git clone imageonmap
• modify that one character in quartzlib
• package quartzlib using mvn package -DskipTests <------- without the skip test it fails to build. lots of "SEVERE: Failed to load Tag" errors
• rename quarzlib artifact from 0.0.5 jar to 0.0.6 jar and install into local maven repo <----- build outputs a file called "quartzlib-0.0.5-SNAPSHOT" even tho its the 0.0.6 source.
• package imageonmap jar using mvn package
• copy imageonmap jar to plugins directory of minecraft server and test.

There are 62 of these errors, which seem to be a seperate issue with yet another framework called mockbucket. Either Quartzlib or mockbucket seems to be missing tags for new blocks I'm guessing. The result is a working Imageonmap plugin in the end tho.

how to put jar of quartz library in local repo, i don't know how to do it because i never used maven

Are you using windows or linux?

[J-eremy]

It doesn't really matter its about the same, just the location of your home directory will be different.

It is more complicated because the pom files for the 0.0.6 Quartzlib are out of date and dont state the correct version for building. It builds fine, but is named and installed incorrectly as 0.0.5-SNAPSHOT when in fact it is the 0.0.6 source.

What you have to do, or I did in my case is clone the Quartzlib repo, then clone the Imageonmap repo. Go into the Quartzlib directory and edit the pom.xml file and change line 40 from: <version>0.0.5</version> to <version>0.0.6</version> and save

then go into the quartzlib sub directory in the original Quartzlib directory and open up that pom.xml file and change line 18 from: <revision>0.0.5-SNAPSHOT</revision> to <revision>0.0.6</revision> and save.

Now make your mods to the source like the ones here: https://github.com/zDevelopers/QuartzLib/pull/87/files

Once you have the code set, the pom files changed you are almost ready to build, what I recommend first to do is clear out your local maven repo folder if it exists. This will make sure you don't have anything in there at all, and will re download the other million dependencies as needed, but not Quartzlib as you will be building that yourself. Windows its: c:\users\<username>\.m2\repository\ In linux its: ~/.m2/repository/

delete everything from that folder, that's the local repo. Now you can build Quartzlib and install it into that directory using the code you modified. Go into wherever you cloned the repo for quartzlib and edited the files and type: mvn install -DskipTests That command will compile your modified library, package it and install it into the local repo for maven. Then go into the imageonmap folder and type: mvn package That command will compile the addon, using the library you compiled in the previous step and package it up in a .jar file.

What this should do is use your custom Quartzlib that you compiled to compile the jar for Imageonmap and place it in the directory: ImageOnMap/target/ you should see a file called ImageOnMap-4.2.2.jar. Thats your plugin and should be around 445KB or something.

[OoLunar]

Here's the jar I've compiled myself and have been using for a little over a week. As always, be sure to create backups before running new plugins, keep a close eye on their behavior, and if possible, always try compiling it yourself.

ImageOnMap-4.2.2.jar.zip

[J-eremy]

Here's the jar I've compiled myself and have been using for a little over a week. As always, be sure to create backups before running new plugins, keep a close eye on their behavior, and if possible, always try compiling it yourself.

ImageOnMap-4.2.2.jar.zip

You have a jar, inside that jar. Thats why the file size is twice what its supposed to be...

[OoLunar]

Github didn't allow me to upload the .jar file directly, which was why I compressed it to a zip file. Regardless, if you don't wish to use it, then don't worry about it. I'm just trying to be helpful.

[J-eremy]

Github didn't allow me to upload the .jar file directly, which was why I compressed it to a zip file. Regardless, if you don't wish to use it, then don't worry about it. I'm just trying to be helpful.

Nah what Im saying is, you zipped up the jar, and inside the jar you zipped up is a copy of the quartzlib-0.0.5-SNAPSHOT.jar

[OoLunar]

Yes, that Quartzlib Snapshop jar is from the https://github.com/zDevelopers/QuartzLib/pull/87 PR. I'm a C# developer, not a Java developer. My experience with Maven is next to none

[J-eremy]

Yes, that Quartzlib Snapshop jar is from the zDevelopers/QuartzLib#87 PR. I'm a C# developer, not a Java developer. My experience with Maven is next to none

from what I understand, ImageOnMap uses Quartzlib as a dependency at build time. Which means it bakes it all in at go time. This is why you have to compile Quartzlib and install it locally in the maven repo before compiling ImageOnMap, as ImageOnMap looks for Quartzlib in the repo and if it isn't found it downloads it. But if it is found uses the local copy.