DependencyCheck | OWASP dependencycheck is a software composition analysis utility | Security library

by jeremylong Java Version: v7.0.4 License: Apache-2.0

Download this library from

kandi X-RAY | DependencyCheck Summary

DependencyCheck is a Java library typically used in Financial Services, Banks, Payments, Security, Maven applications. DependencyCheck has no bugs, it has no vulnerabilities, it has build file available, it has a Permissive License and it has medium support. You can download it from GitHub, Maven.

[![Maven Central](https://img.shields.io/maven-central/v/org.owasp/dependency-check-maven.svg)](https://mvnrepository.com/artifact/org.owasp/dependency-check-maven) ![Build and Deploy](https://github.com/jeremylong/DependencyCheck/workflows/Build%20and%20Deploy/badge.svg?branch=main) [![Coverity Scan Build Status](https://img.shields.io/coverity/scan/1654.svg)](https://scan.coverity.com/projects/dependencycheck) [![Codacy Badge](https://api.codacy.com/project/badge/Grade/6b6021d481dc41a888c5da0d9ecf9494)](https://www.codacy.com/app/jeremylong/DependencyCheck?utm_source=github.com&utm_medium=referral&utm_content=jeremylong/DependencyCheck&utm_campaign=Badge_Grade) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/843/badge)](https://bestpractices.coreinfrastructure.org/projects/843) [![Apache 2.0 License](https://img.shields.io/badge/license-Apache%202-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0.txt). [![Black Hat Arsenal](https://raw.githubusercontent.com/toolswatch/badges/master/arsenal/usa/2018.svg?sanitize=true)](http://www.toolswatch.org/2018/05/black-hat-arsenal-usa-2018-the-w0w-lineup/) [![Black Hat Arsenal](https://www.toolswatch.org/badges/arsenal/2015.svg)](https://www.toolswatch.org/2015/06/black-hat-arsenal-usa-2015-speakers-lineup/) [![Black Hat Arsenal](https://www.toolswatch.org/badges/arsenal/2014.svg)](https://www.toolswatch.org/2014/06/black-hat-usa-2014-arsenal-tools-speaker-list/) [![Black Hat Arsenal](https://www.toolswatch.org/badges/arsenal/2013.svg)](https://www.toolswatch.org/2013/06/announcement-blackhat-arsenal-usa-2013-selected-tools/).

Support

Quality

Security

License

Reuse

kandi-support Support

DependencyCheck has a medium active ecosystem.
It has 3986 star(s) with 916 fork(s). There are 153 watchers for this library.
There were 5 major release(s) in the last 6 months.
There are 320 open issues and 2581 have been closed. On average issues are closed in 14 days. There are 6 open pull requests and 0 closed requests.
It has a neutral sentiment in the developer community.
The latest version of DependencyCheck is v7.0.4

DependencyCheck Support

Best in #Security

Average in #Security

DependencyCheck Support

Best in #Security

Average in #Security

quality kandi Quality

DependencyCheck has 0 bugs and 0 code smells.

DependencyCheck Quality

Best in #Security

Average in #Security

DependencyCheck Quality

Best in #Security

Average in #Security

security Security

DependencyCheck has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.
DependencyCheck code analysis shows 0 unresolved vulnerabilities.
There are 0 security hotspots that need review.

DependencyCheck Security

Best in #Security

Average in #Security

DependencyCheck Security

Best in #Security

Average in #Security

license License

DependencyCheck is licensed under the Apache-2.0 License. This license is Permissive.
Permissive licenses have the least restrictions, and you can use them in most projects.

DependencyCheck License

Best in #Security

Average in #Security

DependencyCheck License

Best in #Security

Average in #Security

build Reuse

DependencyCheck releases are available to install and integrate.
Deployable package is available in Maven.
Build file is available. You can build the component from source.
Installation instructions are not available. Examples and code snippets are available.
It has 99962 lines of code, 3326 functions and 624 files.
It has high code complexity. Code complexity directly impacts maintainability of the code.

DependencyCheck Reuse

Best in #Security

Average in #Security

DependencyCheck Reuse

Best in #Security

Average in #Security

Top functions reviewed by kandi - BETA

kandi has reviewed DependencyCheck and discovered the below as its top functions. This is intended to give you an instant insight into DependencyCheck implemented functionality, and help decide if they suit your requirements.

Sets the evidence of the pom .
Collects dependency management dependencies .
Update the description of the assembly .
Checks if the CPE matches .
Update CVE values .
Updates the CVE value in the database .
Checks whether the dependency matches .
Attempt to determine the ecosystem based on the vendor information .
Initializes the database driver .
Process node dependencies .

DependencyCheck Key Features

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

DependencyCheck Examples and Code Snippets

See all related Code Snippets

Dependency-Check

Copy

Download

If upgrading to 7.0.0 or higher, there were breaking changes. If you get an error indicating you can't connect
to the database you will need to run the purge command to remove the old database:
- gradle: `./gradlew dependencyCheckPurge`
- maven: `mvn org.owasp:dependency-check-maven:7.0.0:purge`
- cli: `dependency-check.sh --purge`

Homebrew users upgrading to dependency-check 7.0.0 will need to purge their old database.

Current Releases
-------------
### Jenkins Plugin

For instructions on the use of the Jenkins plugin please see the [OWASP Dependency-Check Plugin page](https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin).

### Command Line

More detailed instructions can be found on the
[dependency-check github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/).
The latest CLI can be downloaded from github in the [releases section](https://github.com/jeremylong/DependencyCheck/releases).

On *nix
```
$ ./bin/dependency-check.sh -h
$ ./bin/dependency-check.sh --out . --scan [path to jar files to be scanned]
```
On Windows
```
&gt; .\bin\dependency-check.bat -h
&gt; .\bin\dependency-check.bat --out . --scan [path to jar files to be scanned]
```
On Mac with [Homebrew](http://brew.sh)
Note - homebrew users upgrading from 5.x to 6.0.0 will need to run `dependency-check.sh --purge`.
```
$ brew update &amp;&amp; brew install dependency-check
$ dependency-check -h
$ dependency-check --out . --scan [path to jar files to be scanned]
```

### Maven Plugin

More detailed instructions can be found on the [dependency-check-maven github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-maven).
By default, the plugin is tied to the `verify` phase (i.e. `mvn verify`). Alternatively,
one can directly invoke the plugin via `mvn org.owasp:dependency-check-maven:check`.

The dependency-check plugin can be configured using the following:

```xml
&lt;project&gt;
    &lt;build&gt;
        &lt;plugins&gt;
            ...
            &lt;plugin&gt;
              &lt;groupId&gt;org.owasp&lt;/groupId&gt;
              &lt;artifactId&gt;dependency-check-maven&lt;/artifactId&gt;
              &lt;executions&gt;
                  &lt;execution&gt;
                      &lt;goals&gt;
                          &lt;goal&gt;check&lt;/goal&gt;
                      &lt;/goals&gt;
                  &lt;/execution&gt;
              &lt;/executions&gt;
            &lt;/plugin&gt;
            ...
        &lt;/plugins&gt;
        ...
    &lt;/build&gt;
    ...
&lt;/project&gt;
```

### Ant Task

For instructions on the use of the Ant Task, please see the [dependency-check-ant github page](http://jeremylong.github.io/DependencyCheck/dependency-check-ant).

Development Prerequisites
-------------

For installation to pass, you must have the following components installed:
* Java: `java -version` 1.8
* Maven: `mvn -version` 3.5.0 and higher

Tests cases require:
* dotnet core version 6.0
* Go: `go version` 1.12 and higher
* Ruby [bundler-audit](https://github.com/rubysec/bundler-audit#install)
* [Yarn](https://classic.yarnpkg.com/en/docs/install/)
* [pnpm](https://pnpm.io/installation)

Development Usage
-------------
The following instructions outline how to compile and use the current snapshot. While every intention is to maintain a stable snapshot it is recommended
that the release versions listed above be used.

The repository has some large files due to test resources. The team has tried to clean up the history as much as possible.
However, it is recommended that you perform a shallow clone to save yourself time:

```bash
git clone --depth 1 https://github.com/jeremylong/DependencyCheck.git
```

On *nix
```
$ mvn -s settings.xml install
$ ./cli/target/release/bin/dependency-check.sh -h
$ ./cli/target/release/bin/dependency-check.sh --out . --scan ./src/test/resources
```
On Windows
```
&gt; mvn -s settings.xml install
&gt; .\cli\target\release\bin\dependency-check.bat -h
&gt; .\cli\target\release\bin\dependency-check.bat --out . --scan ./src/test/resources
```

Then load the resulting 'dependency-check-report.html' into your favorite browser.

### Docker

In the following example it is assumed that the source to be checked is in the current working directory and the reports will be written to `$(pwd)/odc-reports`. Persistent data and cache directories are used, allowing you to destroy the container after running.

For Linux:
```sh
#!/bin/sh

DC_VERSION="latest"
DC_DIRECTORY=$HOME/OWASP-Dependency-Check
DC_PROJECT="dependency-check scan: $(pwd)"
DATA_DIRECTORY="$DC_DIRECTORY/data"
CACHE_DIRECTORY="$DC_DIRECTORY/data/cache"

if [ ! -d "$DATA_DIRECTORY" ]; then
    echo "Initially creating persistent directory: $DATA_DIRECTORY"
    mkdir -p "$DATA_DIRECTORY"
fi
if [ ! -d "$CACHE_DIRECTORY" ]; then
    echo "Initially creating persistent directory: $CACHE_DIRECTORY"
    mkdir -p "$CACHE_DIRECTORY"
fi

# Make sure we are using the latest version
docker pull owasp/dependency-check:$DC_VERSION

docker run --rm \
    -e user=$USER \
    -u $(id -u ${USER}):$(id -g ${USER}) \
    --volume $(pwd):/src:z \
    --volume "$DATA_DIRECTORY":/usr/share/dependency-check/data:z \
    --volume $(pwd)/odc-reports:/report:z \
    owasp/dependency-check:$DC_VERSION \
    --scan /src \
    --format "ALL" \
    --project "$DC_PROJECT" \
    --out /report
    # Use suppression like this: (where /src == $pwd)
    # --suppression "/src/security/dependency-check-suppression.xml"
```

For Windows:
```bat
@echo off

set DC_VERSION="latest"
set DC_DIRECTORY=%USERPROFILE%\OWASP-Dependency-Check
SET DC_PROJECT="dependency-check scan: %CD%"
set DATA_DIRECTORY="%DC_DIRECTORY%\data"
set CACHE_DIRECTORY="%DC_DIRECTORY%\data\cache"

IF NOT EXIST %DATA_DIRECTORY% (
    echo Initially creating persistent directory: %DATA_DIRECTORY%
    mkdir %DATA_DIRECTORY%
)
IF NOT EXIST %CACHE_DIRECTORY% (
    echo Initially creating persistent directory: %CACHE_DIRECTORY%
    mkdir %CACHE_DIRECTORY%
)

rem Make sure we are using the latest version
docker pull owasp/dependency-check:%DC_VERSION%

docker run --rm ^
    --volume %CD%:/src ^
    --volume %DATA_DIRECTORY%:/usr/share/dependency-check/data ^
    --volume %CD%/odc-reports:/report ^
    owasp/dependency-check:%DC_VERSION% ^
    --scan /src ^
    --format "ALL" ^
    --project "%DC_PROJECT%" ^
    --out /report
    rem Use suppression like this: (where /src == %CD%)
    rem --suppression "/src/security/dependency-check-suppression.xml"
```

Building From Source
-------------
To build dependency-check (using Java 8) run the command:

```
mvn -s settings.xml install
```

Building the documentation
--------------------------

The documentation on the [github pages](http://jeremylong.github.io/DependencyCheck/) is generated from this repository:

    mvn -s settings.xml site  site:staging

Once done, point your browser to `./target/staging/index.html`.

Building The Docker Image
-------------
To build dependency-check docker image run the command:

```
mvn -s settings.xml install
./build-docker.sh
```

License
-------

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.

Dependency-Check makes use of several other open source libraries. Please see the [NOTICE.txt][notices] file for more information.

Copyright (c) 2012-2022 Jeremy Long. All Rights Reserved.

  [wiki]: https://github.com/jeremylong/DependencyCheck/wiki
  [notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICE.txt

dependency-check-maven - suppression not working

Copy

Download

  <suppress>
    <notes>
      <![CDATA[
      file name: h2-1.4.200.jar
      ]]>
    </notes>
    <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
    <vulnerabilityName>CVE-2021-23463</vulnerabilityName>
  </suppress>

  <suppress>
    <notes>
      <![CDATA[
      file name: h2-1.4.200.jar
      ]]>
    </notes>
    <filePath regex="true">.*\/h2database.*\.jar</filePath>
    <vulnerabilityName>CVE-2021-23463</vulnerabilityName>
  </suppress>

-----------------------

  <suppress>
    <notes>
      <![CDATA[
      file name: h2-1.4.200.jar
      ]]>
    </notes>
    <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
    <vulnerabilityName>CVE-2021-23463</vulnerabilityName>
  </suppress>

  <suppress>
    <notes>
      <![CDATA[
      file name: h2-1.4.200.jar
      ]]>
    </notes>
    <filePath regex="true">.*\/h2database.*\.jar</filePath>
    <vulnerabilityName>CVE-2021-23463</vulnerabilityName>
  </suppress>

BeanDefinitionOverrideException when supplying bean for integration test / @SpringBootTest

Copy

Download

spring:
  main:
    allow-bean-definition-overriding: true

-----------------------

    @TestConfiguration
    static class ClockTestConfiguration {

        @Bean("fixedClock")
        @Primary
        public Clock clock() {
            return Clock.fixed(Instant.ofEpochMilli(1635513004000L), ZoneId.systemDefault());
        }
    }

Getting zero coverage on sonarQube after publishing sonar report via ci-pipeline

Copy

Download

run_sonar() {
      run_mvn \
        -Dsonar.projectKey=UI-Service \
        -Dsonar.host.url=xxx \
        -Dsonar.login=${SONAR_TOKEN} \
        -Dsonar.sources=src/main \
        -Dsonar.tests=src/test \
        package \
        sonar:sonar
}

-----------------------

<execution>
  <id>pre-unit-test</id>
  <goals>
    <goal>prepare-agent</goal>
  </goals>
  <configuration>
    <propertyName>surefireArgLine</propertyName>
  </configuration>
</execution>

<argLine>${surefireArgLine}</argLine>

-----------------------

<execution>
  <id>pre-unit-test</id>
  <goals>
    <goal>prepare-agent</goal>
  </goals>
  <configuration>
    <propertyName>surefireArgLine</propertyName>
  </configuration>
</execution>

<argLine>${surefireArgLine}</argLine>

Spring Boot: combining Webflux, OAuth2 and HATEOAS

Copy

Download

dependencies {
    implementation 'org.springframework.boot:spring-boot-starter-webflux'
    implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'
    //implementation 'org.springframework.boot:spring-boot-starter-hateoas'
    implementation 'org.springframework.hateoas:spring-hateoas:1.3.1'

    testImplementation('org.springframework.boot:spring-boot-starter-test') {
        exclude group: 'org.junit.vintage', module: 'junit-vintage-engine'
    }
}

Spring boot to work with legacy data beans

Copy

Download

@SpringBootApplication(exclude={DataSourceAutoConfiguration.class, TransactionAutoConfiguration.class})

spring.main.allow-bean-definition-overriding=true

-----------------------

@SpringBootApplication(exclude={DataSourceAutoConfiguration.class, TransactionAutoConfiguration.class})

spring.main.allow-bean-definition-overriding=true

spring batch job parameters in StepScope

Copy

Download

@Bean
@StepScope
public FlatFileItemReader<CsvTask> importTasksReader(@Value("#{jobParameters['inputfile']}") String inputFile) {
  // ...
}

Once you have an @EnableBatchProcessing class in your configuration you will have an instance of StepScope and JobScope so your beans inside steps can have @Scope("step") and @Scope("job") respectively.

-----------------------

@Bean
@StepScope
public FlatFileItemReader<CsvTask> importTasksReader(@Value("#{jobParameters['inputfile']}") String inputFile) {
  // ...
}

Once you have an @EnableBatchProcessing class in your configuration you will have an instance of StepScope and JobScope so your beans inside steps can have @Scope("step") and @Scope("job") respectively.

How to put a RestTemplate into a separate class?

Copy

Download

@Configuration
@ComponentScan
public class GetRestTemplate2Config {

    @Bean(name = "restTemplate2")
    public RestTemplate getRestTemplate2() throws KeyStoreException, 
        NoSuchAlgorithmException, KeyManagementException {
       [...]
    }
}

Spring Batch @JobScope bean creation error "A bean with that name has already been defined"

Copy

Download

@Component("dealerItemProcessor")
public class DealerItemProcessor implements ItemProcessor<Dealer, Dealer> , StepExecutionListener {
    
    private StepExecution stepExecution;

    @Override
    public Dealer process(final Dealer dealer) throws Exception {
    //get unique JobId like this - stepExecution.getJobExecutionId()
    // process logic
    }

    @Override
    public void beforeStep(StepExecution stepExecution) {
        //get the stepExecution Object.
        this.stepExecution = stepExecution;
    }

    @Override
    public ExitStatus afterStep(StepExecution stepExecution) {
        return null;
    }
}

File from previous step cannot be found in Azure DevOps-Pipeline

Copy

Download

  - task: PublishTestResults@2
    inputs:
      testResultsFormat: 'JUnit'
      testResultsFiles: '**/*-junit.xml'
      searchFolder: '$(Common.TestResultsDirectory)'

How to resolve proxy issue in owasp dependency check?

Copy

Download

  <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>owasp</groupId>
    <artifactId>dependency-check</artifactId>
    <version>99.0.0.0.0</version>
    <name>OWASP_Dependency_Check</name>
    <dependencies>
      <dependency>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-maven</artifactId>
        <version>5.0.0</version>
        <scope>test</scope>
      </dependency>
    </dependencies>
  </project>

mvn clean install  org.owasp:dependency-check-maven:check -DscanSet.fileSet=['src/main/resources/']

-----------------------

  <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>owasp</groupId>
    <artifactId>dependency-check</artifactId>
    <version>99.0.0.0.0</version>
    <name>OWASP_Dependency_Check</name>
    <dependencies>
      <dependency>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-maven</artifactId>
        <version>5.0.0</version>
        <scope>test</scope>
      </dependency>
    </dependencies>
  </project>

mvn clean install  org.owasp:dependency-check-maven:check -DscanSet.fileSet=['src/main/resources/']

See all related Code Snippets

Community Discussions

Trending Discussions on DependencyCheck

Unable to run Spring Boot Application of Java 17
dependency-check-maven - suppression not working
BeanDefinitionOverrideException when supplying bean for integration test / @SpringBootTest
OWASP Dependency check, how to use suppressions
JwtDecoder bean is not injected automatically while setting a ressource server using 'spring-boot-starter-oauth2-resource-server'
Queue listener like behavior using spring cloud stream
Getting zero coverage on sonarQube after publishing sonar report via ci-pipeline
Spring Boot: combining Webflux, OAuth2 and HATEOAS
Cannot resolve symbol from gradle plugin in build.gradle, even though it compiles correctly. (gradle-idea-ext-plugin)
Spring boot to work with legacy data beans

Trending Discussions on DependencyCheck

QUESTION

Unable to run Spring Boot Application of Java 17

Asked 2022-Feb-28 at 19:18

Just as a sanity test I tried to compile and then run the default Spring-Boot start application.

I compiled the project into a Jar file with Maven but when I tired to run the application I received the following output:

[@YCApp61 ~/WorkDir]$ java -jar ./MyService-0.0.1-SNAPSHOT.jar com.myCompany.myApp.MyServiceApplication
2022-02-24 20:52:29.627  INFO 81808 --- [           main] com.myCompany.myApp.MyService.App  : Starting App v0.0.1-SNAPSHOT with PID 81808 (/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar started by usr in /usr/home/usr/WorkDir)
2022-02-24 20:52:29.704  INFO 81808 --- [           main] ationConfigEmbeddedWebApplicationContext : Refreshing org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@707302d6: startup date [Thu Feb 24 20:52:29 UTC 2022]; root of context hierarchy
2022-02-24 20:52:30.598  INFO 81808 --- [           main] o.s.b.f.s.DefaultListableBeanFactory     : Overriding bean definition for bean 'beanNameViewResolver': replacing [Root bean: class [null]; scope=; abstract=false; lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfiguration$WhitelabelErrorViewConfiguration; factoryMethodName=beanNameViewResolver; initMethodName=null; destroyMethodName=(inferred); defined in class path resource [org/springframework/boot/autoconfigure/web/ErrorMvcAutoConfiguration$WhitelabelErrorViewConfiguration.class]] with [Root bean: class [null]; scope=; abstract=false; lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=org.springframework.boot.autoconfigure.web.WebMvcAutoConfiguration$WebMvcAutoConfigurationAdapter; factoryMethodName=beanNameViewResolver; initMethodName=null; destroyMethodName=(inferred); defined in class path resource [org/springframework/boot/autoconfigure/web/WebMvcAutoConfiguration$WebMvcAutoConfigurationAdapter.class]]
2022-02-24 20:52:30.712  INFO 81808 --- [           main] .b.l.ClasspathLoggingApplicationListener : Application failed to start with classpath: [jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/spring-boot-starter-web-1.2.7.RELEASE.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/spring-boot-starter-1.2.7.RELEASE.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/spring-boot-1.2.7.RELEASE.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/spring-boot-autoconfigure-1.2.7.RELEASE.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/spring-boot-starter-logging-1.2.7.RELEASE.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/jcl-over-slf4j-1.7.12.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/slf4j-api-1.7.12.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/jul-to-slf4j-1.7.12.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/log4j-over-slf4j-1.7.12.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/logback-classic-1.1.3.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/logback-core-1.1.3.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/snakeyaml-1.14.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/spring-boot-starter-tomcat-1.2.7.RELEASE.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/tomcat-embed-core-8.0.28.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/tomcat-embed-el-8.0.28.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/tomcat-embed-logging-juli-8.0.28.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/tomcat-embed-websocket-8.0.28.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/jackson-databind-2.4.6.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/jackson-annotations-2.4.6.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/jackson-core-2.4.6.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/hibernate-validator-5.1.3.Final.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/validation-api-1.1.0.Final.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/jboss-logging-3.1.3.GA.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/classmate-1.0.0.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/spring-core-4.1.8.RELEASE.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/spring-web-4.1.8.RELEASE.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/spring-aop-4.1.8.RELEASE.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/aopalliance-1.0.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/spring-beans-4.1.8.RELEASE.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/spring-context-4.1.8.RELEASE.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/spring-webmvc-4.1.8.RELEASE.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/spring-expression-4.1.8.RELEASE.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/spring-boot-starter-jdbc-1.2.7.RELEASE.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/spring-jdbc-4.1.8.RELEASE.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/tomcat-jdbc-8.0.28.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/tomcat-juli-8.0.28.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/spring-tx-4.1.8.RELEASE.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/h2-1.4.190.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/lombok-1.14.8.jar!/, jar:file:/usr/home/usr/WorkDir/MyService-0.0.1-SNAPSHOT.jar!/lib/log4jdbc-log4j2-jdbc4.1-1.16.jar!/]
2022-02-24 20:52:30.717 ERROR 81808 --- [           main] o.s.boot.SpringApplication               : Application startup failed

java.lang.IllegalStateException: Cannot load configuration class: com.myCompany.myApp.MyService.App
        at org.springframework.context.annotation.ConfigurationClassPostProcessor.enhanceConfigurationClasses(ConfigurationClassPostProcessor.java:395)
        at org.springframework.context.annotation.ConfigurationClassPostProcessor.postProcessBeanFactory(ConfigurationClassPostProcessor.java:259)
        at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:265)
        at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:126)
        at org.springframework.context.support.AbstractApplicationContext.invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:607)
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:462)
        at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:117)
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:689)
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:321)
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:969)
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:958)
        at com.myCompany.myApp.MyService.App.main(App.java:9)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.base/java.lang.reflect.Method.invoke(Unknown Source)
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:53)
        at java.base/java.lang.Thread.run(Unknown Source)
Caused by: java.lang.ExceptionInInitializerError: null
        at org.springframework.cglib.core.KeyFactory$Generator.generateClass(KeyFactory.java:166)
        at org.springframework.cglib.core.DefaultGeneratorStrategy.generate(DefaultGeneratorStrategy.java:25)
        at org.springframework.cglib.core.AbstractClassGenerator.create(AbstractClassGenerator.java:216)
        at org.springframework.cglib.core.KeyFactory$Generator.create(KeyFactory.java:144)
        at org.springframework.cglib.core.KeyFactory.create(KeyFactory.java:116)
        at org.springframework.cglib.core.KeyFactory.create(KeyFactory.java:108)
        at org.springframework.cglib.core.KeyFactory.create(KeyFactory.java:104)
        at org.springframework.cglib.proxy.Enhancer.<clinit>(Enhancer.java:69)
        at org.springframework.context.annotation.ConfigurationClassEnhancer.newEnhancer(ConfigurationClassEnhancer.java:112)
        at org.springframework.context.annotation.ConfigurationClassEnhancer.enhance(ConfigurationClassEnhancer.java:100)
        at org.springframework.context.annotation.ConfigurationClassPostProcessor.enhanceConfigurationClasses(ConfigurationClassPostProcessor.java:385)
        ... 17 common frames omitted
Caused by: java.lang.reflect.InaccessibleObjectException: Unable to make protected final java.lang.Class java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain) throws java.lang.ClassFormatError accessible: module java.base does not "opens java.lang" to unnamed module @2c60a1a7
        at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(Unknown Source)
        at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(Unknown Source)
        at java.base/java.lang.reflect.Method.checkCanSetAccessible(Unknown Source)
        at java.base/java.lang.reflect.Method.setAccessible(Unknown Source)
        at org.springframework.cglib.core.ReflectUtils$2.run(ReflectUtils.java:56)
        at java.base/java.security.AccessController.doPrivileged(Unknown Source)
        at org.springframework.cglib.core.ReflectUtils.<clinit>(ReflectUtils.java:46)
        ... 28 common frames omitted

2022-02-24 20:52:30.718  INFO 81808 --- [           main] ationConfigEmbeddedWebApplicationContext : Closing org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@707302d6: startup date [Thu Feb 24 20:52:29 UTC 2022]; root of context hierarchy
2022-02-24 20:52:30.720  WARN 81808 --- [           main] ationConfigEmbeddedWebApplicationContext : Exception thrown from ApplicationListener handling ContextClosedEvent

java.lang.IllegalStateException: ApplicationEventMulticaster not initialized - call 'refresh' before multicasting events via the context: org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@707302d6: startup date [Thu Feb 24 20:52:29 UTC 2022]; root of context hierarchy
        at org.springframework.context.support.AbstractApplicationContext.getApplicationEventMulticaster(AbstractApplicationContext.java:344)
        at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:331)
        at org.springframework.context.support.AbstractApplicationContext.doClose(AbstractApplicationContext.java:873)
        at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.doClose(EmbeddedWebApplicationContext.java:150)
        at org.springframework.context.support.AbstractApplicationContext.close(AbstractApplicationContext.java:840)
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:343)
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:969)
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:958)
        at com.myCompany.myApp.MyService.App.main(App.java:9)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.base/java.lang.reflect.Method.invoke(Unknown Source)
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:53)
        at java.base/java.lang.Thread.run(Unknown Source)

2022-02-24 20:52:30.720  WARN 81808 --- [           main] ationConfigEmbeddedWebApplicationContext : Exception thrown from LifecycleProcessor on context close

java.lang.IllegalStateException: LifecycleProcessor not initialized - call 'refresh' before invoking lifecycle methods via the context: org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@707302d6: startup date [Thu Feb 24 20:52:29 UTC 2022]; root of context hierarchy
        at org.springframework.context.support.AbstractApplicationContext.getLifecycleProcessor(AbstractApplicationContext.java:357)
        at org.springframework.context.support.AbstractApplicationContext.doClose(AbstractApplicationContext.java:881)
        at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.doClose(EmbeddedWebApplicationContext.java:150)
        at org.springframework.context.support.AbstractApplicationContext.close(AbstractApplicationContext.java:840)
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:343)
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:969)
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:958)
        at com.myCompany.myApp.MyService.App.main(App.java:9)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.base/java.lang.reflect.Method.invoke(Unknown Source)
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:53)
        at java.base/java.lang.Thread.run(Unknown Source)

java.lang.reflect.InvocationTargetException
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.base/java.lang.reflect.Method.invoke(Unknown Source)
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:53)
        at java.base/java.lang.Thread.run(Unknown Source)
Caused by: java.lang.IllegalStateException: Cannot load configuration class: com.myCompany.myApp.MyService.App
        at org.springframework.context.annotation.ConfigurationClassPostProcessor.enhanceConfigurationClasses(ConfigurationClassPostProcessor.java:395)
        at org.springframework.context.annotation.ConfigurationClassPostProcessor.postProcessBeanFactory(ConfigurationClassPostProcessor.java:259)
        at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:265)
        at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:126)
        at org.springframework.context.support.AbstractApplicationContext.invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:607)
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:462)
        at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:117)
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:689)
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:321)
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:969)
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:958)
        at com.myCompany.myApp.MyService.App.main(App.java:9)
        ... 6 more
Caused by: java.lang.ExceptionInInitializerError
        at org.springframework.cglib.core.KeyFactory$Generator.generateClass(KeyFactory.java:166)
        at org.springframework.cglib.core.DefaultGeneratorStrategy.generate(DefaultGeneratorStrategy.java:25)
        at org.springframework.cglib.core.AbstractClassGenerator.create(AbstractClassGenerator.java:216)
        at org.springframework.cglib.core.KeyFactory$Generator.create(KeyFactory.java:144)
        at org.springframework.cglib.core.KeyFactory.create(KeyFactory.java:116)
        at org.springframework.cglib.core.KeyFactory.create(KeyFactory.java:108)
        at org.springframework.cglib.core.KeyFactory.create(KeyFactory.java:104)
        at org.springframework.cglib.proxy.Enhancer.<clinit>(Enhancer.java:69)
        at org.springframework.context.annotation.ConfigurationClassEnhancer.newEnhancer(ConfigurationClassEnhancer.java:112)
        at org.springframework.context.annotation.ConfigurationClassEnhancer.enhance(ConfigurationClassEnhancer.java:100)
        at org.springframework.context.annotation.ConfigurationClassPostProcessor.enhanceConfigurationClasses(ConfigurationClassPostProcessor.java:385)
        ... 17 more
Caused by: java.lang.reflect.InaccessibleObjectException: Unable to make protected final java.lang.Class java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain) throws java.lang.ClassFormatError accessible: module java.base does not "opens java.lang" to unnamed module @2c60a1a7
        at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(Unknown Source)
        at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(Unknown Source)
        at java.base/java.lang.reflect.Method.checkCanSetAccessible(Unknown Source)
        at java.base/java.lang.reflect.Method.setAccessible(Unknown Source)
        at org.springframework.cglib.core.ReflectUtils$2.run(ReflectUtils.java:56)
        at java.base/java.security.AccessController.doPrivileged(Unknown Source)
        at org.springframework.cglib.core.ReflectUtils.<clinit>(ReflectUtils.java:46)
        ... 28 more
[usr@YCApp61 ~/WorkDir]$

I tried running the application again with the following arguments but got the same error message:

java -jar ./MyService-0.0.1-SNAPSHOT.jar com.myCompany.myApp.MyServiceApplication --add-exports=java.base/jdk.internal.misc=ALL-UNNAMED --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=java.management/com.sun.jmx.mbeanserver=ALL-UNNAMED --add-exports=jdk.internal.jvmstat/sun.jvmstat.monitor=ALL-UNNAMED --add-exports=java.base/sun.reflect.generics.reflectiveObjects=ALL-UNNAMED --add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED --add-opens java.base/java.nio=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang=ALL-UNNAMED

The machine I am trying to run on is Java 17. Am I missing some jvm arguments or am I passing them incorrectly?

ANSWER

Answered 2022-Feb-28 at 19:18

Chin Huang was correct above, changing to project to use version 2.6.3 of spring-boot fixed the issue.

Source https://stackoverflow.com/questions/71258240

QUESTION

dependency-check-maven - suppression not working

Asked 2022-Jan-17 at 06:21

I'm trying to whitelist certain libraries where the risk has been acknowledged - ideally I'd like to do this from inside the pom.xml itself, but it appears this isn't possible.

I've created a simple project with a dependency (H2) which has an outstanding CVE, and dependency-check-maven configured with a suppressions file to ignore that dependecy, using the XML generated from the Dependency-Check-Report

pom.xml:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>org.me</groupId>
    <artifactId>test</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <build>
        <plugins>
            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>6.5.3</version>
                <configuration>
                    <suppressionFile>path\to\owasp-suppressions.xml</suppressionFile>
                    <failBuildOnCVSS>8</failBuildOnCVSS>
                </configuration>
                <executions>
                    <execution>
                        <goals>
                            <goal>check</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
    <dependencies>
        <dependency>
            <groupId>com.h2database</groupId>
            <artifactId>h2</artifactId>
            <version>1.4.200</version>
        </dependency>
    </dependencies>
</project>

owasp-suppressions.xml:

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
   <suppress>
      <notes><![CDATA[
      file name: h2-1.4.200.jar
      ]]></notes>
      <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
      <cpe>cpe:/a:h2database:h2</cpe>
   </suppress>
</suppressions>

But despite this the build still fails:

[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  6.703 s
[INFO] Finished at: 2022-01-12T14:26:58Z
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.5.3:check (default) on project test: 
[ERROR] 
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0': 
[ERROR] 
[ERROR] h2-1.4.200.jar: CVE-2021-23463

Could anyone advise what I've done wrong, please?

ANSWER

Answered 2022-Jan-17 at 06:21

I verified on my machine. When I run your code it fails indeed. Then I use the html output and the "suppress" code generator. However it generates a slightly different code for me than you provided. And with that code it works fine. So maybe a case of tired copy-pasting and then editing and messing with it?

However, this works here for me:

  <suppress>
    <notes>
      <![CDATA[
      file name: h2-1.4.200.jar
      ]]>
    </notes>
    <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
    <vulnerabilityName>CVE-2021-23463</vulnerabilityName>
  </suppress>

Looking at your comment. I investigated a bit more. No suppression gave me 2 identifiers:

pkg:maven/com.h2database/h2@1.4.200 (Confidence:High)
cpe:2.3:a:h2database:h2:1.4.200:::::::* (Confidence:Highest)

Then suppressing by cpe as in your example reduced it and showed only:

pkg:maven/com.h2database/h2@1.4.200 (Confidence:High)

That one has no "suppression generation button". I tried by sha, and filePath, but it turns out that does not combine with cpe. It fails to parse the xml.

However we can combine suppression by vulnerability with filePath, that way you can still suppress only the specific jars you want. And maybe even better: supressing the specific CVE in the specific jar. Like so:

  <suppress>
    <notes>
      <![CDATA[
      file name: h2-1.4.200.jar
      ]]>
    </notes>
    <filePath regex="true">.*\/h2database.*\.jar</filePath>
    <vulnerabilityName>CVE-2021-23463</vulnerabilityName>
  </suppress>

NB I removed the packageUrl tag as well, apparently that does not combine either.

Source https://stackoverflow.com/questions/70683300

QUESTION

BeanDefinitionOverrideException when supplying bean for integration test / @SpringBootTest

Asked 2021-Oct-31 at 09:11

I configure a Clock bean like this:

@Configuration
public class ClockConfiguration {

    @Bean
    Clock clock() {
        return Clock.systemDefaultZone();
    }
}

For an integration test, however, I need a Clock instance with a fixed time, so I added a static @TestConfiguration like this:

@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
@ContextConfiguration(initializers = WireMockInitializer.class)
@AutoConfigureWebTestClient
@ActiveProfiles("test")
class MyIT {

    @TestConfiguration
    static class ClockTestConfiguration {

        @Bean
        public Clock clock() {
            return Clock.fixed(Instant.ofEpochMilli(1635513004000L), ZoneId.systemDefault());
        }
    }

    @Autowired
    WireMockServer wireMockServer;

    @Autowired
    private WebTestClient webTestClient;

    @AfterEach
    void afterEach() {
        wireMockServer.resetAll();
    }

    @Test
    void testFoo() {}
}

But when running the test, the application context cannot be loaded. Instead, this error message is shown:

org.springframework.beans.factory.support.BeanDefinitionOverrideException: Invalid bean definition with name 'clock' defined in de.myapp.MyIT$ClockTestConfiguration

There is already [Root bean: class [null]; scope=; abstract=false; lazyInit=null; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=clockConfiguration; factoryMethodName=clock; initMethodName=null; destroyMethodName=(inferred); defined in class path resource [de/myapp/ClockConfiguration.class]] bound.

My understanding was that the static @TestConfiguration would actually take care of that?

ANSWER

Answered 2021-Oct-31 at 05:04

From Spring boot 2.0 and upwards, you have to enable bean overriding in application.yml to allow Spring to override the instance of Clock from the actual application with the one in you want in integration test:

spring:
  main:
    allow-bean-definition-overriding: true

Source https://stackoverflow.com/questions/69782972

QUESTION

JwtDecoder bean is not injected automatically while setting a ressource server using 'spring-boot-starter-oauth2-resource-server'

Asked 2021-Sep-01 at 21:50

I am setting a resource server using the 'spring-boot-starter-oauth2-resource-server':

implementation group: 'org.springframework.boot', name: 'spring-boot-starter-oauth2-resource-server'

I have set a simple Security config like this:

@Configuration
@EnableWebSecurity
class EndpointsSecurityConfig : WebSecurityConfigurerAdapter() {

    override fun configure(web: WebSecurity) {
        web.ignoring().antMatchers("/live")
    }

    override fun configure(http: HttpSecurity?) {
        http?.cors()
        http?.sessionManagement()?.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        http?.csrf()?.disable()
        http
            ?.authorizeRequests()
            ?.anyRequest()
            ?.authenticated()
            ?.and()
            ?.oauth2ResourceServer()
            ?.jwt()
    }
}

And in my application.yml I added the issuer-uri like this :

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://cognito-idp.${AWS_REGION:eu-central-1}.amazonaws.com/${COGNITO_USER_POOL_ID:testUserPoolId}

As I have seen in many tutorials and in the official doc this config is minimalistic and should work out of the box without any extra configs, but my application fails to start with the following error :

Error creating bean with name 'springSecurityFilterChain' defined in class path resource [org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type 'org.springframework.security.oauth2.jwt.JwtDecoder' available
   at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:656)

So the problem here is that the JwtDecoder bean is not found even though it is declared in the OAuth2ResourceServerJwtConfiguration class and is conditioned by the issuer-uri which I have set in my application.yml.

As a workaround I redeclared the bean myself like this :

@Configuration
@EnableWebSecurity
class EndpointSecurityConfig(@Value("\${spring.security.oauth2.resourceserver.jwt.issuer-uri}") private val issuerUri: String) : WebSecurityConfigurerAdapter() {

    override fun configure(web: WebSecurity) {
        web.ignoring().antMatchers("/live")
    }

    override fun configure(http: HttpSecurity?) {
        http?.cors()
        http?.sessionManagement()?.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        http?.csrf()?.disable()
        http
            ?.authorizeRequests()
            ?.anyRequest()
            ?.authenticated()
            ?.and()
            ?.oauth2ResourceServer()
            ?.jwt()
    }

    @Bean
    @Conditional(IssuerUriCondition::class)
    fun jwtDecoderByIssuerUri(): JwtDecoder? {
        return JwtDecoders.fromIssuerLocation(issuerUri)
    }
}

And this is working, but I couldn't figure out why the out-of-the-box config is not working for me?

Update: gradle config


plugins {
    id 'java'
    id "io.spring.dependency-management" version "1.0.9.RELEASE"
    id "org.springframework.boot" version "2.2.5.RELEASE"
    id "org.owasp.dependencycheck" version "6.0.2"
}

// irrelevent details

dependencies {
    ktlint "com.pinterest:ktlint:0.34.2"

    implementation group: 'org.jetbrains.kotlin', name: 'kotlin-stdlib-jdk8', version: '1.3.70'
    implementation group: 'org.jetbrains.kotlin', name: 'kotlin-reflect', version: '1.3.70'
    implementation group: 'org.jetbrains.kotlinx', name: 'kotlinx-coroutines-core', version: '1.3.0'

    implementation group: 'org.springframework.boot', name: 'spring-boot-starter', version: '2.3.4.RELEASE'
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-web', version: '2.3.4.RELEASE'
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-log4j2', version: '2.3.4.RELEASE'
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-actuator', version: '2.3.4.RELEASE'
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-jdbc', version: '2.3.4.RELEASE'
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-security', version: '2.3.4.RELEASE'
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-oauth2-resource-server', version: '2.3.4.RELEASE'

    implementation group: 'com.amazonaws', name: 'aws-java-sdk-secretsmanager', version: "1.11.875"

    implementation group: 'com.oracle.database.jdbc', name: 'ojdbc8', version: "19.7.0.0"

    implementation group: 'com.fasterxml.jackson.module', name: 'jackson-module-kotlin', version: '2.10.2'

    implementation group: 'org.springdoc', name: 'springdoc-openapi-kotlin', version: '1.4.3'
    implementation group: 'org.springdoc', name: 'springdoc-openapi-ui', version: '1.4.3'

    runtime group: 'com.h2database', name: 'h2', version: '1.4.194'

    testImplementation group: 'io.mockk', name: 'mockk', version: '1.9.3'
    testImplementation group: 'org.springframework.boot', name: 'spring-boot-starter-test', version: '2.3.4.RELEASE'
    testImplementation group:'org.springframework.security', name: 'spring-security-test'
}

ANSWER

Answered 2021-Sep-01 at 21:50

I found out that there was a problem with the gradle config of project I am working on (updated the question). The spring boot dependencies were declared with the version '2.3.4.RELEASE' while the org.springframework.boot plugin version was "2.2.5.RELEASE" and I think that must have led to some sort of incompatibility between spring dependencies.

As a solution, I removed the version declaration from the spring dependencies and set the plugin version to '2.3.4.RELEASE' and now the error is gone and the oauth2 resource server config works without any extra config.

NB:

I noticed that when I keep the plugin version at "2.2.5.RELEASE" the error persist and the out of the box config doesn't work unless I remove the plugin io.spring.dependency-management.

Source https://stackoverflow.com/questions/68936896

QUESTION

Queue listener like behavior using spring cloud stream

Asked 2021-Aug-31 at 13:40

I am trying to achieve the above scenario using spring cloud stream supplier and consumer.

This app is a single spring boot app containing producer and consumer.
There is one producer and (can be) multiple consumers. All consumers should behave as a client to queue (i.e. single message should be received by a single consumer only) and other consumers receive different messages.

Below is the java class

 @Component
public class MultipleFunctionsApplication {
    
    @Bean
    public Consumer<String> sink1() {
        return message -> {         
            System.out.println(new Date() + "----------->>> sink1 - Received message " + message);
        };
    }

    @Bean
    public Consumer<String> sink2() {
        return message -> {         
            System.out.println(new Date() + "----------->>> sink2 - Received message " + message);
        };
    }

}

I am trying to use the consumer group feature to achieve this as below.

spring:
  cloud:
    stream:
      bindings:
        requester1:
          destination: rss-exchange
          group: requester
        requester2:
          destination: rss-exchange
          group: requester
      function:
        bindings:
          sink1-in-0: requester1
          sink2-in-0: requester2          
        definition: sink1;sink2
  application:
    name: rss

When I start the application I get the below error.

Caused by: org.springframework.beans.factory.support.BeanDefinitionOverrideException: Invalid bean definition with name 'rss-exchange.requester.errors.recoverer' defined in null: Cannot register bean definition [Generic bean: class [org.springframework.integration.handler.advice.ErrorMessageSendingRecoverer]; scope=singleton; abstract=false; lazyInit=null; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null] for bean 'rss-exchange.requester.errors.recoverer': There is already [Generic bean: class [org.springframework.integration.handler.advice.ErrorMessageSendingRecoverer]; scope=singleton; abstract=false; lazyInit=null; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null] bound.
at org.springframework.beans.factory.support.DefaultListableBeanFactory.registerBeanDefinition(DefaultListableBeanFactory.java:995) ~[spring-beans-5.3.5.jar:5.3.5]
at org.springframework.context.support.GenericApplicationContext.registerBeanDefinition(GenericApplicationContext.java:330) ~[spring-context-5.3.5.jar:5.3.5]
at org.springframework.beans.factory.support.BeanDefinitionReaderUtils.registerBeanDefinition(BeanDefinitionReaderUtils.java:164) ~[spring-beans-5.3.5.jar:5.3.5]
at org.springframework.context.annotation.AnnotatedBeanDefinitionReader.doRegisterBean(AnnotatedBeanDefinitionReader.java:285) ~[spring-context-5.3.5.jar:5.3.5]
at org.springframework.context.annotation.AnnotatedBeanDefinitionReader.registerBean(AnnotatedBeanDefinitionReader.java:233) ~[spring-context-5.3.5.jar:5.3.5]
at org.springframework.context.annotation.AnnotationConfigApplicationContext.registerBean(AnnotationConfigApplicationContext.java:198) ~[spring-context-5.3.5.jar:5.3.5]
at org.springframework.cloud.stream.binder.AbstractMessageChannelBinder.registerErrorInfrastructure(AbstractMessageChannelBinder.java:687) ~[spring-cloud-stream-3.1.2.jar:3.1.2]
at org.springframework.cloud.stream.binder.AbstractMessageChannelBinder.registerErrorInfrastructure(AbstractMessageChannelBinder.java:639) ~[spring-cloud-stream-3.1.2.jar:3.1.2]
at org.springframework.cloud.stream.binder.rabbit.RabbitMessageChannelBinder.createConsumerEndpoint(RabbitMessageChannelBinder.java:525) ~[spring-cloud-stream-binder-rabbit-3.1.2.jar:3.1.2]
at org.springframework.cloud.stream.binder.rabbit.RabbitMessageChannelBinder.createConsumerEndpoint(RabbitMessageChannelBinder.java:136) ~[spring-cloud-stream-binder-rabbit-3.1.2.jar:3.1.2]
at org.springframework.cloud.stream.binder.AbstractMessageChannelBinder.doBindConsumer(AbstractMessageChannelBinder.java:408) ~[spring-cloud-stream-3.1.2.jar:3.1.2]
... 24 common frames omitted

From logs it is clear that it is trying to create 'rss-exchange.requester.errors.recoverer' again. Only sink1 starts in this case with the below messages.

Fri Aug 27 15:01:22 IST 2021----------->>> sink1 - Received message {"channel":"chn19388","rssurl":"url random"}
Fri Aug 27 15:01:22 IST 2021----------->>> sink1 - Received message {"channel":"chnl02394","rssurl":"http://localhost:8080/test"}
Fri Aug 27 15:01:22 IST 2021----------->>> sink1 - Received message {"channel":"chnldkdjaif","rssurl":"url random"}

When I add "allow-bean-definition-overriding: true" then everything works fine as expected as shown below logs.

Fri Aug 27 15:03:57 IST 2021----------->>> sink1 - Received message {"channel":"chn19388","rssurl":"url random"}
Fri Aug 27 15:03:57 IST 2021----------->>> sink2 - Received message {"channel":"chnl02394","rssurl":"http://localhost:8080/test"}
Fri Aug 27 15:03:57 IST 2021----------->>> sink2 - Received message {"channel":"chnldkdjaif","rssurl":"url random"}

I am not sure is the right way to do it since I am getting errors for bean already exists even though the use case that I am trying is working with overriding property.

NOTE - It's been only a couple of days since I started exploring stream cloud stream so consider me as naive if I have asked something silly.

ANSWER

Answered 2021-Aug-31 at 13:40

So the issue was fixed and tested with your configuration, merged, and is available in the current snapshot (3.2.0-SNAPSHOT).

Source https://stackoverflow.com/questions/68951234

QUESTION

Getting zero coverage on sonarQube after publishing sonar report via ci-pipeline

Asked 2021-Aug-03 at 15:36

I am working on a maven project and want to setup sonar in ci-pipeline. Below is my sonar setup script in gitlab-ci.yml.

before_script:
  - |
    run_mvn() {
      mvn -B \
       -s $CI_PROJECT_DIR/.m2/settings.xml \
       -Dmaven.repo.local=$CI_PROJECT_DIR/.m2/repository \
       -DfailIfNoTests=false \
       "$@"
    }

    run_sonar() {
      run_mvn \
        -Dsonar.projectKey=UI-Service \
        -Dsonar.host.url=xxx \
        -Dsonar.login=${SONAR_TOKEN} \
        -Dsonar.sources=src/main \
        -Dsonar.tests=src/test \
        -Dsonar.java.binaries=$CI_PROJECT_DIR/target/*.classes \
        sonar:sonar
    }

And the sonar stage looks like below:

sonar:
  stage: analyse
  image: registry.git.xyyyy.com/containers/builder-images/maven/jdk-11:3.6.0
  when: manual
  script:
    - ls $CI_PROJECT_DIR
    - run_sonar

Now after the sonar stage runs in pipeline, I am getting these logs:

[INFO] 
70[INFO] --- sonar-maven-plugin:3.9.0.2155:sonar (default-cli) @ ui-service ---
71[INFO] User cache: /root/.sonar/cache
72[INFO] SonarQube version: 8.9.0
73[INFO] Default locale: "en_US", source code encoding: "UTF-8"
74[INFO] Load global settings
75[INFO] Load global settings (done) | time=879ms
76[INFO] Server id: xxx
77[INFO] User cache: /root/.sonar/cache
78[INFO] Load/download plugins
79[INFO] Load plugins index
80[INFO] Load plugins index (done) | time=199ms
81[INFO] Load/download plugins (done) | time=28761ms
82[INFO] Loaded core extensions: developer-scanner
83[INFO] JavaScript/TypeScript frontend is enabled
84[INFO] Process project properties
85[INFO] Process project properties (done) | time=12ms
86[INFO] Execute project builders
87[INFO] Execute project builders (done) | time=2ms
88[INFO] Project key: UI-Service
89[INFO] Base dir: /builds/FJ8nuibS/0/xxx/ui-service
90[INFO] Working dir: /builds/FJ8nuibS/0/xxx/ui-service/target/sonar
91[INFO] Load project settings for component key: 'UI-Service'
92[INFO] Load project settings for component key: 'UI-Service' (done) | time=160ms
93[INFO] Load project branches
94[INFO] Load project branches (done) | time=153ms
95[INFO] Load project pull requests
96[INFO] Load project pull requests (done) | time=147ms
97[INFO] Load branch configuration
98[INFO] Detected branch/PR in 'GitLab'
99[INFO] Auto-configuring branch 'feature/1242'
100[INFO] Load branch configuration (done) | time=3ms
101[INFO] Auto-configuring with CI 'Gitlab CI'
102[INFO] Load quality profiles
103[INFO] Load quality profiles (done) | time=220ms
104[INFO] Auto-configuring with CI 'Gitlab CI'
105[INFO] Load active rules
106[INFO] Load active rules (done) | time=5545ms
107[INFO] Branch name: feature/1242
108[INFO] Indexing files...
109[INFO] Project configuration:
110[INFO] 54 files indexed
111[INFO] 0 files ignored because of scm ignore settings
112[INFO] Quality profile for java: Sonar way
113[INFO] ------------- Run sensors on module ui-service
114[INFO] JavaScript/TypeScript frontend is enabled
115[INFO] Load metrics repository
116[INFO] Load metrics repository (done) | time=156ms
117[INFO] Sensor JavaSquidSensor [java]
118[INFO] Configured Java source version (sonar.java.source): 11
119[INFO] JavaClasspath initialization
120[INFO] JavaClasspath initialization (done) | time=7ms
121[INFO] JavaTestClasspath initialization
122[INFO] JavaTestClasspath initialization (done) | time=2ms
123[INFO] Java Main Files AST scan
124[INFO] 47 source files to be analyzed
125[INFO] Load project repositories
126[INFO] Load project repositories (done) | time=164ms
127[INFO] 47/47 source files have been analyzed
128[WARNING] Unresolved imports/types have been detected during analysis. Enable DEBUG mode to see them.
129[INFO] Java Main Files AST scan (done) | time=7835ms
130[INFO] Java Test Files AST scan
131[INFO] 6 source files to be analyzed
132[INFO] 6/6 source files have been analyzed
133[INFO] Java Test Files AST scan (done) | time=587ms
134[INFO] Java Generated Files AST scan
135[INFO] 0 source files to be analyzed
136[INFO] 0/0 source files have been analyzed
137[INFO] Java Generated Files AST scan (done) | time=1ms
138[INFO] Sensor JavaSquidSensor [java] (done) | time=8839ms
139[INFO] Sensor CSS Rules [cssfamily]
140[INFO] No CSS, PHP, HTML or VueJS files are found in the project. CSS analysis is skipped.
141[INFO] Sensor CSS Rules [cssfamily] (done) | time=1ms
142[INFO] Sensor PmdSensor [pmd]
143[INFO] Sensor PmdSensor [pmd] (done) | time=0ms
144[INFO] Sensor C# Project Type Information [csharp]
145[INFO] Sensor C# Project Type Information [csharp] (done) | time=1ms
146[INFO] Sensor C# Properties [csharp]
147[INFO] Sensor C# Properties [csharp] (done) | time=1ms
148[INFO] Sensor SurefireSensor [java]
149[INFO] parsing [/builds/FJ8nuibS/0/xxx/ui-service/target/surefire-reports]
150[INFO] Sensor SurefireSensor [java] (done) | time=127ms
151[INFO] Sensor Removed properties sensor [java]
152[WARNING] Property 'sonar.jacoco.reportPath' is no longer supported. Use JaCoCo's xml report and sonar-jacoco plugin.
153[INFO] Sensor Removed properties sensor [java] (done) | time=1ms
154[INFO] Sensor JavaXmlSensor [java]
155[INFO] Sensor JavaXmlSensor [java] (done) | time=2ms
156[INFO] Sensor HTML [web]
157[INFO] Sensor HTML [web] (done) | time=3ms
158[INFO] Sensor CheckstyleSensor [checkstyle]
159[INFO] Checkstyle output report: /builds/FJ8nuibS/0/xxx/ui-service/target/sonar/checkstyle-result.xml
160[INFO] Checkstyle configuration: /builds/FJ8nuibS/0/xxx/ui-service/target/sonar/checkstyle.xml
161[INFO] Checkstyle charset: UTF-8
162[INFO] Sensor CheckstyleSensor [checkstyle] (done) | time=888ms
163[INFO] Sensor VB.NET Project Type Information [vbnet]
164[INFO] Sensor VB.NET Project Type Information [vbnet] (done) | time=1ms
165[INFO] Sensor VB.NET Properties [vbnet]
166[INFO] Sensor VB.NET Properties [vbnet] (done) | time=1ms
167[INFO] Sensor JaCoCo XML Report Importer [jacoco]
168[INFO] 'sonar.coverage.jacoco.xmlReportPaths' is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
169[INFO] No report imported, no coverage information will be imported by JaCoCo XML Report Importer
170[INFO] Sensor JaCoCo XML Report Importer [jacoco] (done) | time=4ms
171[INFO] Sensor ThymeLeaf template sensor [securityjavafrontend]
172[INFO] Sensor ThymeLeaf template sensor [securityjavafrontend] (done) | time=1ms
173[INFO] Sensor FindBugs Sensor [findbugs]
174[INFO] Loading findbugs plugin: /builds/FJ8nuibS/0/xxx/ui-service/target/sonar/findbugs/findsecbugs-plugin.jar
175[INFO] Findbugs output report: /builds/FJ8nuibS/0/xxx/ui-service/target/sonar/findbugs-result.xml
176The following classes needed for analysis were missing:
177  makeConcatWithConstants
178  requestResponse
179  requestStream
180  apply
181  test
182  accept
183  compare
184  run
185[INFO] Sensor FindBugs Sensor [findbugs] (done) | time=8138ms
186[INFO] Sensor JavaSecuritySensor [security]
187[INFO] Reading type hierarchy from: /builds/FJ8nuibS/0/xxx/ui-service/target/sonar/ucfg2/java
188[INFO] Read 172 type definitions
189[INFO] Reading UCFGs from: /builds/FJ8nuibS/0/xxx/ui-service/target/sonar/ucfg2/java
190[INFO] 09:43:23.968449 Building Runtime Type propagation graph
191[INFO] 09:43:23.994976 Running Tarjan on 1615 nodes
192[INFO] 09:43:24.000773 Tarjan found 1608 components
193[INFO] 09:43:24.007245 Variable type analysis: done
194[INFO] 09:43:24.009926 Building Runtime Type propagation graph
195[INFO] 09:43:24.021118 Running Tarjan on 1615 nodes
196[INFO] 09:43:24.022848 Tarjan found 1608 components
197[INFO] 09:43:24.026061 Variable type analysis: done
198[INFO] Analyzing 173 ucfgs to detect vulnerabilities.
199[INFO] All rules entrypoints : 0 Retained UCFGs : 0
200[INFO] rule: S5131, entrypoints: 0
201[INFO] rule: S5131 done
202[INFO] rule: S3649, entrypoints: 0
203[INFO] rule: S3649 done
204[INFO] rule: S2076, entrypoints: 0
205[INFO] rule: S2076 done
206[INFO] rule: S2091, entrypoints: 0
207[INFO] rule: S2091 done
208[INFO] rule: S2078, entrypoints: 0
209[INFO] rule: S2078 done
210[INFO] rule: S2631, entrypoints: 0
211[INFO] rule: S2631 done
212[INFO] rule: S5135, entrypoints: 0
213[INFO] rule: S5135 done
214[INFO] rule: S2083, entrypoints: 0
215[INFO] rule: S2083 done
216[INFO] rule: S5167, entrypoints: 0
217[INFO] rule: S5167 done
218[INFO] rule: S5144, entrypoints: 0
219[INFO] rule: S5144 done
220[INFO] rule: S5145, entrypoints: 0
221[INFO] rule: S5145 done
222[INFO] rule: S5146, entrypoints: 0
223[INFO] rule: S5146 done
224[INFO] rule: S5334, entrypoints: 0
225[INFO] rule: S5334 done
226[INFO] rule: S6096, entrypoints: 0
227[INFO] rule: S6096 done
228[INFO] Sensor JavaSecuritySensor [security] (done) | time=1507ms
229[INFO] Sensor CSharpSecuritySensor [security]
230[INFO] Reading type hierarchy from: /builds/FJ8nuibS/0/xxx/ui-service/target/ucfg_cs2
231[INFO] Read 0 type definitions
232[INFO] Reading UCFGs from: /builds/FJ8nuibS/0/xxx/ui-service/target/ucfg_cs2
233[INFO] No UCFGs have been included for analysis.
234[INFO] Sensor CSharpSecuritySensor [security] (done) | time=1ms
235[INFO] Sensor PhpSecuritySensor [security]
236[INFO] Reading type hierarchy from: /builds/FJ8nuibS/0/xxx/ui-service/target/sonar/ucfg2/php
237[INFO] Read 0 type definitions
238[INFO] Reading UCFGs from: /builds/FJ8nuibS/0/xxx/ui-service/target/sonar/ucfg2/php
239[INFO] No UCFGs have been included for analysis.
240[INFO] Sensor PhpSecuritySensor [security] (done) | time=1ms
241[INFO] Sensor PythonSecuritySensor [security]
242[INFO] Reading type hierarchy from: /builds/FJ8nuibS/0/xxx/ui-service/target/sonar/ucfg2/python
243[INFO] Read 0 type definitions
244[INFO] Reading UCFGs from: /builds/FJ8nuibS/0/xxx/ui-service/target/sonar/ucfg2/python
245[INFO] No UCFGs have been included for analysis.
246[INFO] Sensor PythonSecuritySensor [security] (done) | time=1ms
247[INFO] Sensor JsSecuritySensor [security]
248[INFO] Reading type hierarchy from: /builds/FJ8nuibS/0/xxx/ui-service/target/sonar/ucfg2/js
249[INFO] Read 0 type definitions
250[INFO] Reading UCFGs from: /builds/FJ8nuibS/0/xxx/ui-service/target/sonar/ucfg2/js
251[INFO] No UCFGs have been included for analysis.
252[INFO] Sensor JsSecuritySensor [security] (done) | time=1ms
253[INFO] ------------- Run sensors on project
254[INFO] Sensor Dependency-Check [dependencycheck]
255[INFO] Process Dependency-Check report
256[INFO] Using JSON-Reportparser
257[INFO] Dependency-Check JSON report does not exists. Please check property sonar.dependencyCheck.jsonReportPath:/builds/FJ8nuibS/0/xxx/ui-service/${WORKSPACE}/dependency-check-report.json
258[INFO] JSON-Analysis skipped/aborted due to missing report file
259[INFO] Using XML-Reportparser
260[INFO] Dependency-Check XML report does not exists. Please check property sonar.dependencyCheck.xmlReportPath:/builds/FJ8nuibS/0/xxx/ui-service/${WORKSPACE}/dependency-check-report.xml
261[INFO] XML-Analysis skipped/aborted due to missing report file
262[INFO] Dependency-Check HTML report does not exists. Please check property sonar.dependencyCheck.htmlReportPath:/builds/FJ8nuibS/0/xxx/ui-service/${WORKSPACE}/dependency-check-report.html
263[INFO] HTML-Dependency-Check report does not exist.
264[INFO] Process Dependency-Check report (done) | time=5ms
265[INFO] Sensor Dependency-Check [dependencycheck] (done) | time=5ms
266[INFO] Sensor Zero Coverage Sensor
267[INFO] Sensor Zero Coverage Sensor (done) | time=56ms
268[INFO] Sensor Java CPD Block Indexer
269[INFO] Sensor Java CPD Block Indexer (done) | time=87ms
270[INFO] SCM Publisher SCM provider for this project is: git
271[INFO] SCM Publisher 50 source files to be analyzed
272[INFO] SCM Publisher 50/50 source files have been analyzed (done) | time=490ms
273[INFO] CPD Executor 9 files had no CPD blocks
274[INFO] CPD Executor Calculating CPD for 38 files
275[INFO] CPD Executor CPD calculation finished (done) | time=14ms
276[INFO] Load New Code definition
277[INFO] Load New Code definition (done) | time=973ms
278[INFO] Analysis report generated in 1101ms, dir size=602 KB
279[INFO] Analysis report compressed in 169ms, zip size=220 KB
280[INFO] Analysis report uploaded in 1642ms

And the link to report is then generated, but when I open sonarQube to see the coverage, its 0%, even though all the main files and test files can be seen in code section.

Looking at the logs, I can't get the issue why the coverage is not being generated on sonarQube.

Anyone having a good experience with ci-pipeline or sonar setup on pipeline please help me out with this issue.

ANSWER

Answered 2021-Aug-03 at 07:41

Yous need the compiled class to do sonar analysis. So in your run_sonar() add package to maven command.

run_sonar() {
      run_mvn \
        -Dsonar.projectKey=UI-Service \
        -Dsonar.host.url=xxx \
        -Dsonar.login=${SONAR_TOKEN} \
        -Dsonar.sources=src/main \
        -Dsonar.tests=src/test \
        package \
        sonar:sonar
}

Source https://stackoverflow.com/questions/68631708

QUESTION

Spring Boot: combining Webflux, OAuth2 and HATEOAS

Asked 2021-May-30 at 20:53

I am trying to build a Spring Boot application that combines Webflux, OAuth2 and HATEOAS. Building a minimal application with Webflux and OAuth2 works OK, but as soon as I add HATEOAS, my minimal test fails.

build.gradle:

plugins {
    id 'java'
    id 'io.spring.dependency-management' version '1.0.11.RELEASE'
    id 'org.springframework.boot' version '2.5.0'
}

version '0.0.1-SNAPSHOT'

repositories {
    mavenCentral()
}

tasks.named('test') {
    useJUnitPlatform()
}

dependencies {
    implementation 'org.springframework.boot:spring-boot-starter-webflux'
    implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'
    implementation 'org.springframework.boot:spring-boot-starter-hateoas'

    testImplementation('org.springframework.boot:spring-boot-starter-test') {
        exclude group: 'org.junit.vintage', module: 'junit-vintage-engine'
    }
}

TheApplication.java:

@SpringBootApplication
@EnableHypermediaSupport(type = {EnableHypermediaSupport.HypermediaType.HAL})
@EnableWebFluxSecurity
public class TheApplication {
    public static void main(final String[] args) {
        SpringApplication.run(TheApplication.class, args);
    }
}

TheApplicationTest.java:

@SpringBootTest
public class TheApplicationTest {
    @Test
    void contextLoads() {}
}

application.yaml:

spring:
  security:
    oauth2:
      client:
        registration:
          google:
            client-id: <whatever>.apps.googleusercontent.com
            client-secret: <whatever>


  main:
    web-application-type: reactive

Stack trace:

Failed to load ApplicationContext
java.lang.IllegalStateException: Failed to load ApplicationContext
    at org.springframework.test.context.cache.DefaultCacheAwareContextLoaderDelegate.loadContext(DefaultCacheAwareContextLoaderDelegate.java:132)
    at org.springframework.test.context.support.DefaultTestContext.getApplicationContext(DefaultTestContext.java:124)
    at org.springframework.test.context.web.ServletTestExecutionListener.setUpRequestContextIfNecessary(ServletTestExecutionListener.java:190)
    at org.springframework.test.context.web.ServletTestExecutionListener.prepareTestInstance(ServletTestExecutionListener.java:132)
    at org.springframework.test.context.TestContextManager.prepareTestInstance(TestContextManager.java:244)
    at org.springframework.test.context.junit.jupiter.SpringExtension.postProcessTestInstance(SpringExtension.java:138)
    at org.junit.jupiter.engine.descriptor.ClassBasedTestDescriptor.lambda$invokeTestInstancePostProcessors$6(ClassBasedTestDescriptor.java:350)
    at org.junit.jupiter.engine.descriptor.ClassBasedTestDescriptor.executeAndMaskThrowable(ClassBasedTestDescriptor.java:355)
    at org.junit.jupiter.engine.descriptor.ClassBasedTestDescriptor.lambda$invokeTestInstancePostProcessors$7(ClassBasedTestDescriptor.java:350)
    at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
    at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:175)
    at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1382)
    at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
    at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
    at java.util.stream.StreamSpliterators$WrappingSpliterator.forEachRemaining(StreamSpliterators.java:312)
    at java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:743)
    at java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:742)
    at java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:580)
    at org.junit.jupiter.engine.descriptor.ClassBasedTestDescriptor.invokeTestInstancePostProcessors(ClassBasedTestDescriptor.java:349)
    at org.junit.jupiter.engine.descriptor.ClassBasedTestDescriptor.lambda$instantiateAndPostProcessTestInstance$4(ClassBasedTestDescriptor.java:270)
    at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
    at org.junit.jupiter.engine.descriptor.ClassBasedTestDescriptor.instantiateAndPostProcessTestInstance(ClassBasedTestDescriptor.java:269)
    at org.junit.jupiter.engine.descriptor.ClassBasedTestDescriptor.lambda$testInstancesProvider$2(ClassBasedTestDescriptor.java:259)
    at java.util.Optional.orElseGet(Optional.java:267)
    at org.junit.jupiter.engine.descriptor.ClassBasedTestDescriptor.lambda$testInstancesProvider$3(ClassBasedTestDescriptor.java:258)
    at org.junit.jupiter.engine.execution.TestInstancesProvider.getTestInstances(TestInstancesProvider.java:31)
    at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.lambda$prepare$0(TestMethodTestDescriptor.java:101)
    at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
    at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.prepare(TestMethodTestDescriptor.java:100)
    at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.prepare(TestMethodTestDescriptor.java:65)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$prepare$1(NodeTestTask.java:111)
    at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.prepare(NodeTestTask.java:111)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:79)
    at java.util.ArrayList.forEach(ArrayList.java:1257)
    at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.invokeAll(SameThreadHierarchicalTestExecutorService.java:38)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$5(NodeTestTask.java:143)
    at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$7(NodeTestTask.java:129)
    at org.junit.platform.engine.support.hierarchical.Node.around(Node.java:137)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$8(NodeTestTask.java:127)
    at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:126)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:84)
    at java.util.ArrayList.forEach(ArrayList.java:1257)
    at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.invokeAll(SameThreadHierarchicalTestExecutorService.java:38)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$5(NodeTestTask.java:143)
    at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$7(NodeTestTask.java:129)
    at org.junit.platform.engine.support.hierarchical.Node.around(Node.java:137)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$8(NodeTestTask.java:127)
    at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:126)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:84)
    at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.submit(SameThreadHierarchicalTestExecutorService.java:32)
    at org.junit.platform.engine.support.hierarchical.HierarchicalTestExecutor.execute(HierarchicalTestExecutor.java:57)
    at org.junit.platform.engine.support.hierarchical.HierarchicalTestEngine.execute(HierarchicalTestEngine.java:51)
    at org.junit.platform.launcher.core.EngineExecutionOrchestrator.execute(EngineExecutionOrchestrator.java:108)
    at org.junit.platform.launcher.core.EngineExecutionOrchestrator.execute(EngineExecutionOrchestrator.java:88)
    at org.junit.platform.launcher.core.EngineExecutionOrchestrator.lambda$execute$0(EngineExecutionOrchestrator.java:54)
    at org.junit.platform.launcher.core.EngineExecutionOrchestrator.withInterceptedStreams(EngineExecutionOrchestrator.java:67)
    at org.junit.platform.launcher.core.EngineExecutionOrchestrator.execute(EngineExecutionOrchestrator.java:52)
    at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:96)
    at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:75)
    at org.gradle.api.internal.tasks.testing.junitplatform.JUnitPlatformTestClassProcessor$CollectAllTestClassesExecutor.processAllTestClasses(JUnitPlatformTestClassProcessor.java:99)
    at org.gradle.api.internal.tasks.testing.junitplatform.JUnitPlatformTestClassProcessor$CollectAllTestClassesExecutor.access$000(JUnitPlatformTestClassProcessor.java:79)
    at org.gradle.api.internal.tasks.testing.junitplatform.JUnitPlatformTestClassProcessor.stop(JUnitPlatformTestClassProcessor.java:75)
    at org.gradle.api.internal.tasks.testing.SuiteTestClassProcessor.stop(SuiteTestClassProcessor.java:61)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.gradle.internal.dispatch.ReflectionDispatch.dispatch(ReflectionDispatch.java:36)
    at org.gradle.internal.dispatch.ReflectionDispatch.dispatch(ReflectionDispatch.java:24)
    at org.gradle.internal.dispatch.ContextClassLoaderDispatch.dispatch(ContextClassLoaderDispatch.java:33)
    at org.gradle.internal.dispatch.ProxyDispatchAdapter$DispatchingInvocationHandler.invoke(ProxyDispatchAdapter.java:94)
    at com.sun.proxy.$Proxy2.stop(Unknown Source)
    at org.gradle.api.internal.tasks.testing.worker.TestWorker.stop(TestWorker.java:135)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.gradle.internal.dispatch.ReflectionDispatch.dispatch(ReflectionDispatch.java:36)
    at org.gradle.internal.dispatch.ReflectionDispatch.dispatch(ReflectionDispatch.java:24)
    at org.gradle.internal.remote.internal.hub.MessageHubBackedObjectConnection$DispatchWrapper.dispatch(MessageHubBackedObjectConnection.java:182)
    at org.gradle.internal.remote.internal.hub.MessageHubBackedObjectConnection$DispatchWrapper.dispatch(MessageHubBackedObjectConnection.java:164)
    at org.gradle.internal.remote.internal.hub.MessageHub$Handler.run(MessageHub.java:414)
    at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:64)
    at org.gradle.internal.concurrent.ManagedExecutorImpl$1.run(ManagedExecutorImpl.java:48)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.gradle.internal.concurrent.ThreadFactoryImpl$ManagedThreadRunnable.run(ThreadFactoryImpl.java:56)
    at java.lang.Thread.run(Thread.java:748)
Caused by: org.springframework.beans.factory.support.BeanDefinitionOverrideException: Invalid bean definition with name 'conversionServicePostProcessor' defined in class path resource [org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.class]: Cannot register bean definition [Root bean: class [org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration]; scope=; abstract=false; lazyInit=null; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=conversionServicePostProcessor; initMethodName=null; destroyMethodName=(inferred); defined in class path resource [org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.class]] for bean 'conversionServicePostProcessor': There is already [Root bean: class [org.springframework.security.config.annotation.web.reactive.WebFluxSecurityConfiguration]; scope=; abstract=false; lazyInit=null; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=conversionServicePostProcessor; initMethodName=null; destroyMethodName=(inferred); defined in org.springframework.security.config.annotation.web.reactive.WebFluxSecurityConfiguration] bound.
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.registerBeanDefinition(DefaultListableBeanFactory.java:995)
    at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitionsForBeanMethod(ConfigurationClassBeanDefinitionReader.java:295)
    at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitionsForConfigurationClass(ConfigurationClassBeanDefinitionReader.java:153)
    at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitions(ConfigurationClassBeanDefinitionReader.java:129)
    at org.springframework.context.annotation.ConfigurationClassPostProcessor.processConfigBeanDefinitions(ConfigurationClassPostProcessor.java:343)
    at org.springframework.context.annotation.ConfigurationClassPostProcessor.postProcessBeanDefinitionRegistry(ConfigurationClassPostProcessor.java:247)
    at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanDefinitionRegistryPostProcessors(PostProcessorRegistrationDelegate.java:311)
    at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:112)
    at org.springframework.context.support.AbstractApplicationContext.invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:746)
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:564)
    at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:758)
    at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:438)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:337)
    at org.springframework.boot.test.context.SpringBootContextLoader.loadContext(SpringBootContextLoader.java:123)
    at org.springframework.test.context.cache.DefaultCacheAwareContextLoaderDelegate.loadContextInternal(DefaultCacheAwareContextLoaderDelegate.java:99)
    at org.springframework.test.context.cache.DefaultCacheAwareContextLoaderDelegate.loadContext(DefaultCacheAwareContextLoaderDelegate.java:124)
    ... 92 more

Is there a fundamental incompatibility here? What is the cleanest way to allow OAuth2/Webflux/HATEOAS to interoperate?

ANSWER

Answered 2021-May-30 at 20:53

org.springframework.boot:spring-boot-starter-hateoas is indeed incompatible with org.springframework.boot:spring-boot-starter-webflux so instead of using org.springframework.boot:spring-boot-starter-hateoas, pull in the Spring HATEOAS dependency itself:

dependencies {
    implementation 'org.springframework.boot:spring-boot-starter-webflux'
    implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'
    //implementation 'org.springframework.boot:spring-boot-starter-hateoas'
    implementation 'org.springframework.hateoas:spring-hateoas:1.3.1'

    testImplementation('org.springframework.boot:spring-boot-starter-test') {
        exclude group: 'org.junit.vintage', module: 'junit-vintage-engine'
    }
}

Source https://stackoverflow.com/questions/67759792

Community Discussions, Code Snippets contain sources that include Stack Exchange Network

Vulnerabilities

No vulnerabilities reported

Install DependencyCheck

You can download it from GitHub, Maven.
You can use DependencyCheck like any standard Java library. Please include the the jar files in your classpath. You can also use any IDE and you can run and debug the DependencyCheck component as you would do with any other Java program. Best practice is to use a build tool that supports dependency management such as Maven or Gradle. For Maven installation, please refer maven.apache.org. For Gradle installation, please refer gradle.org .

Support

For any new features, suggestions and bugs create an issue on GitHub. If you have any questions check and ask questions on community page Stack Overflow .