I'm implementing a dropwizard server app on top of an existing project. building with maven.
I'm currently in jar hell, and it's not fun. I have a pom file that's rather convoluted. I have a big problem with jersey dependencies packaged with hadoop/glassfish/com.sun. com.sun.jersey:jersey-core:jar1.19 is conflicting with org.glassfish.jersey.core:jersey-client:jar:2.22.2. I tried adding some exclusions to make it use the 2.22.x version, but it's still giving me the error seen here. I've been combing through the dependency tree and adding exclusions where I see fit, but can't seem to get it right. Here is my pom file.
Personal experience tells me that you should check ALL your dependencies (especially the ones you developed in-house) if you have the old jersey version as a dependency in there.
That's what solved a similiar problem for me.
If you do :
mvn dependency:list -Dverbose
(grep for filtering results)
it gives u the list of dependencies(transitive ones also).Check the version of sun jersey or glassfish jersey that's being used in your application.
If you do :
mvn dependency:tree -Dverbose -Dincludes=jersey-server
you will see the graph of where any version of jersey-server is coming from a parent.
I had a hadoop-client and an in-house rest-bus-client using a version of sun jersey(1.9.x) which i needed to remove. I tried in maven and it simply worked.
Also, this jersey version unmatch caused the following issue for me in dropwizard.
java.lang.NoSuchMethodError: javax.ws.rs.core.Application.getProperties()Ljava/util/Map;
Related
Due to the Log4Shell vulnerability I would like to search and find out if my Java project is implementing Log4j directly or by dependencies, and which version.
I have, for example, projects with these dependency management tools:
Maven project
Apache Ivy project
Old legacy project without any dependency management
How can I do this on these types of dependency management tools?
Details about the vulnerability (including mitigation steps):
CVE-2021-44228
Apache Log4j Security Vulnerabilities
You may run Maven dependency tree from the command line inside your project:
mvn dependency:tree
In the output do a search for log4j. If you find it, it might mean that your project is either directly including log4j, or another dependency is including log4j as a transitive dependency.
If you use Maven and Linux, you can run:
mvn dependency:tree | grep log4j
This will check your dependencies and show results only if you have Log4j as a dependency.
And if it is a transitive dependency, and you want to check the dependency it came from, you can use:
mvn dependency: tree | grep -B20 log4j
It will show 20 lines before Log4j on the screen. If you still can't see the main dependency where it comes from, you can increase from 20 to 50, and so on until you find it.
KKKK
So far I'm satisfied what Syft and Grype provide. These tools list all code dependencies of a given Docker image or a directory containing code - independent of the stack! Easy setup and quick execution.
It's Java-independent though and more generic than your specific question for a Maven-based solution. So it is up to you if it's of use or not.
I have some test code in Intellij Idea 2018 community edition, which has multiple pom files. When I run any testng annotated test, I get an error which says "no tests were found". It looks like the problem is due to this part of the exception stack trace:
java.lang.NoClassDefFoundError: com/fasterxml/jackson/annotation/JsonMerge
I googled for a solution and found this - https://github.com/FasterXML/jackson-annotations/issues/119 and this https://stackoverflow.com/a/46406070. It looks like this issue is caused when we don't have the same version of these jars in the project.
1) jackson-core (2.8.8)
2) jackson-databind (2.9.2)
3) jackson-annotations (2.8.5)
As you can see, I don't have the same version for all the jars. I looked at all the poms in my project and did not find any place where all these dependencies are added. I was hoping to simply set the version number there. Should I simply add all dependencies in my parent pom file or do something else ?
How do I resolve this issue without harming the project ? How do I find out why these jars are not of the same version ?
You most likely have different versions imported through different dependencies as sub-dependencies.
You can get maven to show you the so-called "effective pom" which will give you the full dependency tree, from which you can then see where what's included.
Some IDEs (like IntelliJ) have an option to show this graphically, which makes finding conflicts like this a lot easier.
Exclude lower versions, and if required explicitly add dependencies to newer versions.
The keyword you are looking for is "Dependency Exclusion". Maven includes transitive dependencies automatically. You first need to identify where the dependencies are coming from.
You can redirect the output to a file and analyze it in detail by searching for "jackson" in the tree.txt file generated as follows:
mvn dependency:tree -Dverbose > tree.txt
Next step would be find out whether you can upgrade some of your libraries so that they automatically use the right version of jackson libraries for you.
Finally, if you explicitly want to exclude transitive dependencies, you can use <exclusions> tag inside a certain <dependency> to exclude certain third party dependencies added to your classpath. See this SO question, for example.
Getting a class not found error at runtime due to maven sub dependency issue:
I am working on integrating twilio sdk ( com.twilio.sdk:twilio:7.35.0 ) into a multi module maven(3.x)/java(java8) project.
I firstly added the twilio maven dependency to the corresponding module
And I am getting a class not found exception at runtime on org.apache.http.conn.HttpClientConnectionManager.
I looked into it and found out that this class is part of org.apache.httpcomponents:httpclient (which is a subdependency in the twilio sdk ) and that an earlier version of this dependency is in my project.
And this earlier version does not have the HttpClientConnectionManager class.
So from this point, I tried to exclude the old version of the dependency with exclude tag first then with maven enforcer plugin and in the same time importing the dependency directly but nothing worked.
I tried to import the dependency in the parent pom and in the other modules that are using my twilio module as well.
I am using twilio 7.35 which uses org.apache.httpcomponents:4.5.6 but in my multi-module project I am using org.apache.cassandra:cassandra-thrift:3.0.0 which is using thrift:0.9.2 which contains the old version of httpclient(4.2.5).
The latest version of this cassandra module does not support the latest version of httpClient, so I need to make sure this httpclient older dependency does not mess up the twilio one.
I also analysed the output of mvn dependency:tree -Dverbose and it seems that the 4.5.6 is getting picked up correclty. And when I tried adding it to the parent module or the calling module, I can see that the old version is getting overwritten by the twilio one but it does not solve my issue.
I am starting to wonder if it is even possible to have two versions of the dependencies in the same maven project.
It sounds like you are experiencing something similar to a related question dealing with Jar Hell: Jar hell: how to use a classloader to replace one jar library version with another at runtime
In this case you need to use a separate classloader from the default one in your project. Perhaps you could use the URL Classloader and load some or all of your newer dependencies from the filesystem.
I have some test code in Intellij Idea 2018 community edition, which has multiple pom files. When I run any testng annotated test, I get an error which says "no tests were found". It looks like the problem is due to this part of the exception stack trace:
java.lang.NoClassDefFoundError: com/fasterxml/jackson/annotation/JsonMerge
I googled for a solution and found this - https://github.com/FasterXML/jackson-annotations/issues/119 and this https://stackoverflow.com/a/46406070. It looks like this issue is caused when we don't have the same version of these jars in the project.
1) jackson-core (2.8.8)
2) jackson-databind (2.9.2)
3) jackson-annotations (2.8.5)
As you can see, I don't have the same version for all the jars. I looked at all the poms in my project and did not find any place where all these dependencies are added. I was hoping to simply set the version number there. Should I simply add all dependencies in my parent pom file or do something else ?
How do I resolve this issue without harming the project ? How do I find out why these jars are not of the same version ?
You most likely have different versions imported through different dependencies as sub-dependencies.
You can get maven to show you the so-called "effective pom" which will give you the full dependency tree, from which you can then see where what's included.
Some IDEs (like IntelliJ) have an option to show this graphically, which makes finding conflicts like this a lot easier.
Exclude lower versions, and if required explicitly add dependencies to newer versions.
The keyword you are looking for is "Dependency Exclusion". Maven includes transitive dependencies automatically. You first need to identify where the dependencies are coming from.
You can redirect the output to a file and analyze it in detail by searching for "jackson" in the tree.txt file generated as follows:
mvn dependency:tree -Dverbose > tree.txt
Next step would be find out whether you can upgrade some of your libraries so that they automatically use the right version of jackson libraries for you.
Finally, if you explicitly want to exclude transitive dependencies, you can use <exclusions> tag inside a certain <dependency> to exclude certain third party dependencies added to your classpath. See this SO question, for example.
I recently upgraded from Spring 3.2.11.RELEASE to Spring 4.2.3.RELEASE.
When running my unit tests, I'm getting this error:
java.lang.ExceptionInInitializerError: null
at org.springframework.test.web.servlet.result.MockMvcResultHandlers.<clinit>(MockMvcResultHandlers.java:44)
And:
java.lang.NoClassDefFoundError: Could not initialize class org.springframework.test.web.servlet.result.MockMvcResultHandlers
Line 44 of MockMvcResultHandlers looks like this:
private static final Log logger = LogFactory.getLog(MockMvcResultHandlers.class.getPackage().getName());
I confirmed that I have commons-logging 1.2 as a dependency in Maven.
Any ideas of what the issue could be?
Thanks!
I've confirmed that the NullPointerException is coming from MockMvcResultHandlers.class.getPackage().
Update: From what I've read, some people are saying that using the maven-surefire-plugin with a forkCount greater than 0 might fix it. Unfortunately, in my particular situation, I can't update the forkCount to verify that.
Update: I opened a JIRA against Spring and they said it will be fixed in 4.2.4:
https://jira.spring.io/browse/SPR-13802
You might have a conflicting spring-test version included by another dependency. I would try to identify whether other dependencies are importing a different version. You can do this in intelliJ, if you use it (and probably other IDEs do it but that's what I use), and you can also do a maven dependency tree. I find both methods useful.
Maven Dependency Tree:
mvn dependency:tree -Dverbose > tree.txt
or, to isolate your specific dependency,
mvn dependency:tree -Dverbose -Dincludes=spring-test > tree.txt
I find it useful to output to a file and then search through it using less or some other tool.
In IntelliJ:
In the Maven Projects tab at right, expand all (CTRL+PLUS in Windows) and look through the dependencies of dependencies and see if you see commons-logging. This is obviously more of a brute force method.