11.0.0 failing with NoSuchMethodError #7098
Comments
|
Looks like you suffer from other parts of your gradle build replacing DependencyCheck's commons-io dependency (2.17.0) with an incompatible older version (older than 2.12.0, given that commons-io documents the method as |
|
I checked the dependencies and it's showing commons-io 2.17.0 I wonder if there is an issue with dichotomy of buildSrc and kotlin plugins. I didn't encounter the issue with the typical setup groovy classpath/plugin application |
|
I did also get this blob before the failure at the end Unexpected error during parsing of the pom '/var/folders/58/8r7gvck557x_49qm2bbl4tzc0000gn/T/dctemp7a40542d-1e44-46da-98fc-9eefb5035bdd/check10301371309261096767tmp/2/pom.xml' |
|
Added to gist |
|
gradle buildEnvironment: |
|
Hmm... looks like gradle has it's own version: (base) saitx@Keiths-MBP-401 classpathDump % searchJars BOMInputStream |
|
Although that should be relocated to the package org.gradle.internal.impldep.org.apache.commons.io.input |
|
Verified it doesn't have the issue in my groovy project. So it seems to be something in the Kotlin files/plugins. |
Those errors will be the mentioned NoSuchMethodErrors |
|
Your buildEnvironment looks clean, not an experienced gradler myself, so not sure if in some way the buildEnvironment can in obscure ways not show (all) the actual libraries that are in the classpath when the plugin is executed; can you try to see what happens when you explicitly pin it to commons-io 2.17.0? See https://github.com/jeremylong/DependencyCheck?tab=readme-ov-file#gradle-build-environment |
|
No luck with forcing the version. Still the same error. |
|
This behavior does remind of when I get a dependency with shaded classes (without relocation). I wonder if there is something shaded in here, somewhere. |
|
Seems to be specifically with kotlin-dsl plugin applied. Will look into making a minimum example. |
I got it working by pinning the dependency just the way described in the README. Had to already do it for commons-lang and jackson-databind. This may not be necessary for your project.
plugins {
`kotlin-dsl`
}
/**
* gradle plugins and plugin dependencies go here
*/
dependencies {
// ...
implementation("org.apache.commons:commons-lang3:3.17.0") // required by owasp dependency check
implementation("com.fasterxml.jackson.core:jackson-databind:2.18.0") // required by owasp dependency check
implementation("commons-io:commons-io:2.17.0") // required by owasp dependency check
}
|
|
I'll give that a try. Didn't have the issue with jackson/commons-lang3 but I will keep that in mind. |
|
No luck. Same error |
|
Not sure I'll have much time for the next two weeks - but do you have a sample |
|
Just tried to reproduce this with gradle 8.10.2 - and everything worked as expected on my side. At this point we would need a sample project (doesn't need source - just the build.gradle and possibly settings.gradle). |
|
I had the same issue, but in my case I managed to narrow it down to an older gradle plugin that still had a dependency on commons-io:2.11.0. It can be hard to find, as the regular |
|
Let me try that. I'll get back to you on whether that works or if I can get a working build ( current is using a lot of internal libraries) |
|
SO I went through the dependencies in build plugins {
// Support convention plugins written in Kotlin. Convention plugins are build scripts in 'src/main' that automatically become available as plugins in the main build.
`kotlin-dsl`
// applies the spotless plugin to the buildSrc project only
id("com.diffplug.spotless") version "6.25.0"
}
dependencies {
// see https://projectlombok.org/setup/gradle
implementation("io.freefair.gradle:lombok-plugin:8.10.2")
// see https://github.com/diffplug/spotless/blob/main/plugin-gradle/README.md
implementation("com.diffplug.spotless:spotless-plugin-gradle:6.25.0")
// see https://imperceptiblethoughts.com/shadow/configuration/
implementation("com.gradleup.shadow:shadow-gradle-plugin:8.3.5")
// this is the dependency that has the latest
implementation("group: "org.owasp", name: "dependency-check-gradle", version: "11.1.0")
}
// buildSrc project has gradle kotlin in non-conventional directories
spotless {
kotlinGradle {
target("**/*.gradle.kts")
ktlint()
}
}I even upgraded from john rengelman shadow to gradleup. It's still failing with the same error in dependencyCheckAggregate |
|
gradle wrapper is 8.10.2 |
|
Root caused it: plugins {
// Nyx maintainers recommend applying this plugin at the settings level, so that it is evaluated as early as possible
// see https://mooltiverse.github.io/nyx/guide/user/introduction/usage/#apply-the-plugin
id("com.mooltiverse.oss.nyx") version "3.0.0"
}
configure<com.mooltiverse.oss.nyx.gradle.NyxExtension> {
preset = "simple"
stateFile = "build/.nyx-state.yml"
releaseTypes {
items {
register("mainline") {
// this is what we need to change
gitTag = "true"
matchEnvironmentVariables.put("CI", "^true$")
// but all of this has to come along for the ride, as Nyx does not support partial overrides of ReleaseType
filterTags = "^({{configuration.releasePrefix}})?([0-9]\\d*)\\.([0-9]\\d*)\\.([0-9]\\d*)$"
gitTagNames = listOf("{{version}}")
matchBranches = "^(master|main)$"
matchWorkspaceStatus = "CLEAN"
}
}
}
}
|
|
Even the latest version is causing issues. |
|
So nothing can be done on the dependency check side. Maybe just add some documentation to doublecheck the settings plugins if experiencing this issue. |
|
You might be able to force the dependency resolution strategy for the build scripts to resolve in your build. https://stackoverflow.com/a/72347306 |
Describe the bug
A clear and concise description of what the bug is.
Latest version 11.0.0 failing with
Version of dependency-check used
The problem occurs using version 11.0.0 of the gradle plugin
Log file
When reporting errors, 99% of the time log file output is required. Please post the log file as a gist and provide a link in the new issue.
https://gist.github.com/Grimoren/724ccf0baf8c6a28fae9b77cf676f54d
To Reproduce
Steps to reproduce the behavior:
Expected behavior
DependencyCheckAggregate finishes with no error.
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: