Dependencycheck: Gradle build failing in v6.1.1

Created on 15 Feb 2021  Â·  8Comments  Â·  Source: jeremylong/DependencyCheck

Describe the bug
When attempting to run dependency check analyze using

./gradlew dependencyCheckAnalyze
there are 2 tasks that fail:

org.gradle.api.tasks.TaskExecutionException: Execution failed for task ':deployment:dependencyCheckAnalyze'.    
at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.lambda$executeIfValid$1(ExecuteActionsTaskExecuter.java:207)  
•••
Caused by: java.lang.NoSuchMethodError: org.apache.commons.codec.digest.DigestUtils.<init>(Ljava/lang/String;)V 
at org.owasp.dependencycheck.utils.Checksum.getChecksum(Checksum.java:101)

org.gradle.api.tasks.TaskExecutionException: Execution failed for task ':dependencyCheckAnalyze'.   
at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.lambda$executeIfValid$1(ExecuteActionsTaskExecuter.java:207)  
•••
Caused by: java.lang.NoSuchMethodError: org.apache.commons.codec.digest.DigestUtils.<init>(Ljava/lang/String;)V 
at org.owasp.dependencycheck.utils.Checksum.getChecksum(Checksum.java:101)

Version of dependency-check used
The problem occurs using version 6.1.1 of the gradle plugin

Log file
When reporting errors, 99% of the time log file output is required. Please post the log file as a gist and provide a link in the new issue.

Output displayed above. Let me know if you need additional information on the issue.

To Reproduce
Steps to reproduce the behavior:

  1. Run the ./gradlew command in CLI
  2. View output of 2 failed jobs in gradle output

Expected behavior
The gradle build should not break.

Additional context
Add any other context about the problem here.

bug
Source
picture AbdullahMunawar

All 8 comments

Looks like there might be a conflicting build plugin with an old version of common-codec? Can you run:

./gradlew buildEnvironment

Look for commons-codec:commons-codec and report back the version info?

jeremylong picture jeremylong on 16 Feb 2021

I get the following information:

commons-codec:commons-codec:1.9 -> 1.14
commons-codec:commons-codec:1.14
AbdullahMunawar picture AbdullahMunawar on 16 Feb 2021

Something is happening with the classpath for the plugins. The referenced APIs were introduced in 1.11.

jeremylong picture jeremylong on 17 Feb 2021

I experience the same issue with 6.1.1. v6.1.0 works fine. My output for ./gradlew buildEnviroment for commons-codec (other paths removed):

+--- com.android.tools.build:gradle:4.1.2
|    +--- com.android.tools.build:builder:4.1.2
|    |    +--- com.android.tools:sdklib:27.1.2
|    |    |    +--- org.apache.httpcomponents:httpmime:4.5.6
|    |    |    |    \--- org.apache.httpcomponents:httpclient:4.5.6
|    |    |    |         \--- commons-codec:commons-codec:1.10 -> 1.15

+--- org.owasp:dependency-check-gradle:6.1.1
|    +--- org.owasp:dependency-check-core:6.1.1
|    |    +--- org.owasp:dependency-check-utils:6.1.1
|    |    |    +--- commons-codec:commons-codec:1.15
stephannielsen picture stephannielsen on 24 Feb 2021

Jeremy, is there an specific version of _common-codec_ that is required? Could an override to force an specific version fix this problem?
We have the problem in some API's with this version 6.1.1, but in others it's working just fine.
Here the output for the case where it's not working, only where _commons-codec_ is present, thanks.


./gradlew buildEnviroment
....
+--- org.jfrog.buildinfo:build-info-extractor-gradle:4.4.18
|    +--- org.apache.ivy:ivy:2.2.0
|    +--- commons-logging:commons-logging:1.1.1 -> 1.2
|    +--- commons-io:commons-io:2.2 -> 2.8.0
|    +--- org.codehaus.groovy:groovy-all:2.4.7
|    +--- org.jfrog.buildinfo:build-info-extractor:2.7.8
|    |    +--- commons-logging:commons-logging:1.1.1 -> 1.2
|    |    +--- commons-io:commons-io:2.2 -> 2.8.0
|    |    +--- commons-lang:commons-lang:2.4
|    |    +--- org.jfrog.buildinfo:build-info-client:2.7.8
|    |    |    +--- commons-codec:commons-codec:1.8 -> 1.15
|    |    |    +--- commons-logging:commons-logging:1.1.1 -> 1.2
|    |    |    +--- commons-io:commons-io:2.2 -> 2.8.0
|    |    |    +--- org.jfrog.buildinfo:build-info-api:2.7.8
|    |    |    |    +--- commons-logging:commons-logging:1.1.1 -> 1.2
|    |    |    |    +--- commons-io:commons-io:2.2 -> 2.8.0
|    |    |    |    +--- com.fasterxml.jackson.core:jackson-databind:2.8.1 -> 2.12.1 (*)
|    |    |    |    +--- commons-lang:commons-lang:2.4
|    |    |    |    +--- com.google.guava:guava:18.0 -> 20.0
|    |    |    |    +--- com.thoughtworks.xstream:xstream:1.3.1
|    |    |    |    |    \--- xpp3:xpp3_min:1.1.4c
|    |    |    |    \--- com.fasterxml.jackson.core:jackson-core:2.8.1 -> 2.12.1
|    |    |    +--- commons-lang:commons-lang:2.4
|    |    |    +--- com.google.guava:guava:18.0 -> 20.0
|    |    |    +--- org.apache.httpcomponents:httpclient:4.5.2
|    |    |    |    +--- org.apache.httpcomponents:httpcore:4.4.4 -> 4.4.5
|    |    |    |    +--- commons-logging:commons-logging:1.2
|    |    |    |    \--- commons-codec:commons-codec:1.9 -> 1.15
|    |    |    +--- org.apache.httpcomponents:httpcore:4.4.5
|    |    |    +--- com.thoughtworks.xstream:xstream:1.3.1 (*)
|    |    |    \--- com.fasterxml.jackson.core:jackson-core:2.8.1 -> 2.12.1
|    |    +--- com.google.guava:guava:18.0 -> 20.0
|    |    \--- com.thoughtworks.xstream:xstream:1.3.1 (*)
|    \--- commons-lang:commons-lang:2.4
+--- org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:3.1.1
|    \--- org.sonarsource.scanner.api:sonar-scanner-api:2.16.0.226
\--- org.owasp.dependencycheck:org.owasp.dependencycheck.gradle.plugin:6.1.1
     \--- org.owasp:dependency-check-gradle:6.1.1
          +--- org.owasp:dependency-check-core:6.1.1
          |    +--- org.anarres.jdiagnostics:jdiagnostics:1.0.6
          |    +--- org.whitesource:pecoff4j:0.0.2.1
          |    +--- org.apache.commons:commons-jcs-core:2.2.1
          |    |    \--- commons-logging:commons-logging:1.2
          |    +--- com.github.package-url:packageurl-java:1.2.0
          |    +--- us.springett:cpe-parser:2.0.2
          |    |    \--- org.slf4j:slf4j-api:1.7.30
          |    +--- com.vdurmont:semver4j:3.1.0
          |    +--- org.slf4j:slf4j-api:1.7.30
          |    +--- org.owasp:dependency-check-utils:6.1.1
          |    |    +--- commons-io:commons-io:2.8.0
          |    |    +--- org.apache.commons:commons-lang3:3.11
          |    |    +--- com.fasterxml.jackson.core:jackson-databind:2.12.1 (*)
          |    |    +--- commons-codec:commons-codec:1.15
          |    |    \--- org.slf4j:slf4j-api:1.7.30

....
alexquitiaquez picture alexquitiaquez on 25 Feb 2021
👍1

I just updated to use APIs in common-codec that exist in earlier versions. That should solve this problem. If this continues to be an issue I'll likely just shade common-code.

jeremylong picture jeremylong on 25 Feb 2021

Just realized I typoed the CR#... So the commit for the changes is https://github.com/jeremylong/DependencyCheck/commit/35f411d56924f9153f7b3b051c30576c90f79c68

jeremylong picture jeremylong on 25 Feb 2021

OK, thanks Jeremy, so this should be right in next version 6.1.2, right?
Update: forget it, I just realized your bugfix is already integrated to the next version 6.1.2, thanks Jeremy.

alexquitiaquez picture alexquitiaquez on 25 Feb 2021
👀1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mikehalmamoj picture mikehalmamoj  Â·  4Comments
RaghunathE picture RaghunathE  Â·  3Comments
agisbert picture agisbert  Â·  4Comments
fabio-boldrini picture fabio-boldrini  Â·  4Comments
dnet picture dnet  Â·  3Comments