I upgraded the spring-web module version from 5.1.2.RELEASE to 5.2.4.RELEASE for my Micronaut application deployed on AWS. I had to upgrade to a more stable version (suggested fix by WhiteSource) as the older version jar was considered to be highly vulnerable from a security standpoint by the WhiteSource tool.
The issue is that most of my application's endpoints worked just fine as they were mainly database queries but I noticed that if I make a REST call, the endpoint fails with the following error:
Invocation with requestId [ca31a9a5-35b3-4b52-a955-e304d9021880] failed: org.springframework.util.Assert.noNullElements(java.util.Collection, java.lang.String)java.lang.NoSuchMethodError: org.springframework.util.Assert.noNullElements(java.util.Collection, java.lang.String)
at org.springframework.web.client.HttpMessageConverterExtractor.<init>(HttpMessageConverterExtractor.java:77)
at org.springframework.web.client.RestTemplate$ResponseEntityResponseExtractor.<init>(RestTemplate.java:988)
at org.springframework.web.client.RestTemplate.responseEntityExtractor(RestTemplate.java:819)
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:582)
at com.connector.getToken(Connector.java:58)
Downgrading the version is not much of an option as those jars will be rejected/deemed vulnerable by WhiteSource. Is there another workaround/solution for this? Please let me know! Thanks.
Make sure to upgrade the spring-core dependency to 5.2.4.RELEASE as well.
Or rather: Make sure that all spring- dependencies have the same version number.
Related
I'm trying to upgrade the logback-classic library from version 1.2.3 to 1.2.8. The patch notes say that all DB related code has been removed, so the main DBAppender class no longer exists in the new version https://logback.qos.ch/news.html. Has anyone found some kind of upgrade guide or know of a workaround solution?
Please see https://logback.qos.ch/news.html.
2022-04-20, Release of logback.db version 1.2.11.1
As of logback version 1.2.8 DBAppender no longer ships with logback.
However, DBAppender for logback-classic is available under the
following Maven coordinates:
ch.qos.logback.db:logback-classic-db:1.2.11.1
and for logback-access under
ch.qos.logback.db:logback-access-db:1.2.11.1
Both of these artifacts require
ch.qos.logback.db:logback-core-db:1.2.11.1 which will be pulled in
automatically by Maven's transitivity rules.
I was wondering the same thing after upgrading spring to the 2.6.3 which pulls in logback version 1.2.8+ through spring-boot-starter-logging dependency.
According to logback's site: https://logback.qos.ch/news.html in version 1.2.8: "2) we have removed all database (JDBC) related code in the project with no replacement."
My logback xml configuration file has a custom DB Appender in it and the application failed to build with the following error:
Could not create an Appender of type [ch.qos.logback.classic.db.DBAppender]. ch.qos.logback.core.util.DynamicClassLoadingException: Failed to instantiate type ch.qos.logback.classic.db.DBAppender
After doing some research, I found a ticket in the logback backlog with a request to document how to proceed. https://jira.qos.ch/browse/LOGBACK-1609
Apparently the DB appender was removed due to a vulnerability.
According to the developer: "The source code is still there. Until this issue is resolved, you can fetch the code from tag 1.2.8 and rebuild. The DBAppender issue is a bit more complex than what people think. As you can imagine, we have a lot on my plate these days but we'll get to it eventually."
So it sounds like the code was removed while they work on a fix and support will be added back eventually. I wouldn't count on a quick fix though.
As a workaround I have pinned the logback version in my projects gradle file so that I can use the latest version of spring along with the latest version of logback that still supports the DB appender class.
Here is the syntax I used:
ext['logback.version'] = '1.2.7'
After adding groovie-all:3.0.8 into my build.gradle, the downloaded jars are in different version as shown bellow. Each of this jars has its 3.0.8 version and I don't know why they aren't download instead.
Appreciate any help
Thanx
Since Groovy 2.5, groovy-all is just a pom which brings in the equivalent component jars, see the according release notes. This explains that you see no groovy-all.
Regarding the version numbers: spring-boot defines the grooy version, you can print it with:
ext {
// versions taken from Spring BOM
GROOVY_VERSION = dependencyManagement.importedProperties['groovy.version']
println GROOVY_VERSION
}
and I expect it is 2.5.13 which for example is included by Spring Boot Version 2.3.4. Unfortunately you didn't specify your used Spring version.
With Spring Boot you include Groovy normally just with
compile "org.codehaus.groovy:groovy-all"
without a version number since Spring Boot defines the version.
So the question is how to override the provided Spring version - alternatively you can increase the used Spring version to get a more recent Groovy version.
To override the Spring version just exclude Groovy, eg see this SO posts:
https://stackoverflow.com/a/50972674/3181392
https://stackoverflow.com/a/47355002/734687
E.g. use:
ext['groovy.version'] = '3.0.8'
To see which component included the wrong version you can execute the Gradle task "dependencies" (find it in IDEA under the help categegory). In this answer I assumed it was Spring (and I am sure it was).
I've been trying to create an integration test using the embeddedKafka, but I'm getting problem of missing dependency when trying to run it, this is the error:
Unable to load class org.springframework.kafka.test.EmbeddedKafkaBroker due to missing dependency org/I0Itec/zkclient/serialize/ZkSerializer
I saw some stuff saying that this is related to my dependencies, so here is my dependencies:
springBootVersion = '2.3.5.RELEASE'
compile("org.springframework.boot:spring-boot-starter-web:${springBootVersion}")
compile("org.springframework.kafka:spring-kafka:${springBootVersion}")
testCompile("org.springframework.boot:spring-boot-starter-test:${springBootVersion}",
'org.spockframework:spock-core:1.2-groovy-2.4',
'org.spockframework:spock-spring:1.2-groovy-2.4',
'com.microsoft.azure:spring-data-cosmosdb:2.3.0',
'com.nimbusds:oauth2-oidc-sdk:5.64.4',
)
testCompile("org.springframework.kafka:spring-kafka-test:${springBootVersion}")
So, my question is, am I missing something?
EDIT
After changed the versions as indicated, I got a different error:
Error creating bean with name 'embeddedKafka': Invocation of init
method failed; nested exception is java.lang.NoClassDefFoundError:
scala/math/Ordering$$anon$7
I've added the scala dependencies, but still having the same issue:
testImplementation("org.scala-lang:scala-library:2.12.11")
testImplementation("org.scala-lang:scala-reflect:2.12.11")
You somehow have a mismatched kafka Vs. kafka-clients jars on the classpath; they all must be the same version.
You generally should not specify a version on boot's dependencies and use its dependency management instead.
You are pulling in spring-kafka 2.3.5 whereas spring-boot 2.3.5 requires spring-kafka 2.5.7.
Spring-kafka 2.5.x uses the kafka-clients 2.5.1.
See here for how to override versions of kafka jars when using a different version to the version that Boot prescribes.
the Kafka Client libraries for a time were inlining a particular version of the Scala library. This caused problems for those of us wanting to use the kafka client library with a slightly different version of Scala than that inline version.
In this cases the version of Scala they were using inline is Scala 2.12.10
They removed this dependency in later versions and this was backported as fixes (the earliest being 2.8.0) https://archive.apache.org/dist/kafka/2.8.0/RELEASE_NOTES.html)
I'm trying to use QueryDSL for Spring Data predicate resolution as well as Swagger API documentation for my Spring Boot service. However I've run into a problem. When my application starts, I get this error message:
java.lang.NoSuchMethodError: 'com.google.common.collect.FluentIterable com.google.common.collect.FluentIterable.concat(java.lang.Iterable, java.lang.Iterable)
An attempt was made to call a method that does not exist. The attempt was made from the following location:
springfox.documentation.schema.DefaultModelDependencyProvider.dependentModels(DefaultModelDependencyProvider.java:79)
The following method did not exist:
'com.google.common.collect.FluentIterable com.google.common.collect.FluentIterable.concat(java.lang.Iterable, java.lang.Iterable)'
The method's class, com.google.common.collect.FluentIterable, is available from the following locations:
jar:file:/my_m2/com/google/guava/guava/18.0/guava-18.0.jar!/com/google/common/collect/FluentIterable.class
Action:
Correct the classpath of your application so that it contains a single, compatible version of com.google.common.collect.FluentIterable
I've discovered that this is happening because QueryDSL is dependent on Guava 18.0 library, but Springfox / Swagger is dependent on Guava 20.0 library, so I end up with both versions of the library on my classpath and maven seems to prioritize the 18.0 one. How can I fix this dependency mismatch? Is there any way to force QueryDSL to try to use Guava 20.0 (in the hopes that it will still function)? Or could there possibly be any other way around this?
Versions:
Spring Boot version: 2.1.9.RELEASE
This version of Spring Boot uses QueryDSL version: 4.2.1
Springfox Swagger version: 2.9.2
If using Gradle, you can force the use of a specific library version. In this case, you may use the following syntax -
configurations.all {
resolutionStrategy.force "com.google.guava:guava:$guavaVersion"
}
I'm sure there's a similar solution if you use a different build tool.
I have Grails 2.0.4 application that depends on a jar that depends on org.apache.httpcomponents:httpcore:4.3.1
I'm getting a NoSuchField exception which I managed to track down to org.apache.http.impl.conn.BasicLineParser.INSTANCE.
This field is only present from httpcore 4.3, before this version the field was BasicLineParser.DEFAULT instead
My BuildConfig.groovy is like:
dependencies {
runtime 'mysql:mysql-connector-java:5.1.16'
runtime 'org.apache.httpcomponents:httpclient:4.3.1'
runtime 'org.apache.httpcomponents:httpcore:4.3.1'
}
Running the dependecy report I found out the there is a signpost-commonshttp4 by oauth.signpost that depends on httpcore:4.0.1 which is probably the root cause of my issue, because it doesn't have the INSTANCE property.
I've tried to exclude this dependency adding
runtime('oauth.signpost:signpost-commonshttp4:1.2.1.1'){
excludes 'httpcore'
}
with no success.
Is there any other way to prevent the code to use the older library version?
Regards
RESOLVED
I managed to resolve this issue adding an extra dependecies configuration
build 'org.apache.httpcomponents:httpclient:4.3.1'
build 'org.apache.httpcomponents:httpcore:4.3.1'
along with the runtime
Thank you all