Dependencycheck: An illegal reflective access operation has occurred

Created on 7 Sep 2020  路  7Comments  路  Source: jeremylong/DependencyCheck

Describe the bug
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.fasterxml.jackson.module.afterburner.util.MyClassLoader (file:/C:/Users/me/.m2/repository/com/fasterxml/jackson/module/jackson-module-afterburner/2.11.2/jackson-module-afterburner-2.11.2.jar) to method java.lang.ClassLoader.findLoadedClass(java.lang.String)
WARNING: Please consider reporting this to the maintainers of com.fasterxml.jackson.module.afterburner.util.MyClassLoader
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

Version of dependency-check used
The problem occurs using version 6.0.0 of the maven plugin

To Reproduce
Steps to reproduce the behavior:

  1. Run on JDK 9+

Expected behavior
No warnings about reflective access violations

Additional context
Upstream issue: https://github.com/FasterXML/jackson-modules-base/issues/37

Options:

  • Don't use afterburner
  • Use blackbird instead (e.g. with a profile activation)
  • Tell everyone to ignore it until afterburner fixes it
bug dependencies
Source
picture OrangeDog
👍1

All 7 comments

This happens intermittently too using the latest docker image
https://hub.docker.com/r/owasp/dependency-check

migueldolomandin picture migueldolomandin on 11 Sep 2020

We will upgrade the library when it is available. However, this issue is from a dependency: https://github.com/FasterXML/jackson-modules-base/issues/37

jeremylong picture jeremylong on 11 Sep 2020

Is there a way to get round this issue in the meantime? It seems the issue with the dependency is ongoing... I too am getting this error when using the latest docker image

calebwhitt picture calebwhitt on 4 Nov 2020

I've run scans using the latest docker image and do not see the warning. @calebwhitt to be clear - this is a warning not an error.

Disabling afterburner had an impact in some very quick tests I ran of ~10-15 seconds in the update process... We can't use blackbird as we still support Java 8. For now - I'm okay with ignoring the warning... However, we will continue to monitor...

jeremylong picture jeremylong on 4 Nov 2020
👍1

It'll only come up if it actually does some JSON processing. Purge the database to guarantee reproduction.

Is it possible to do a layered jar or something in the plugin definition so Java 8 uses Afterburner and 9+ uses Blackbird?

OrangeDog picture OrangeDog on 4 Nov 2020

@jeremylong apologies yes, this is a warning rather than an error. The warning appears consistently for me because I am using the Docker SDK for Python to execute the dependency-check. How are we able to suppress this warning?

calebwhitt picture calebwhitt on 4 Nov 2020

@calebwhitt to suppress it, you need to start the JVM with options to allow that specific module reflection:
Oracle JDK Migration Guide - Understanding Runtime Access Warnings

OrangeDog picture OrangeDog on 4 Nov 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

tediroca picture tediroca  路  4Comments
THausherr picture THausherr  路  3Comments
benji picture benji  路  3Comments
dwvisser picture dwvisser  路  4Comments
gwsu2008 picture gwsu2008  路  3Comments