dependency-check-gradle
dependency-check-gradle copied to clipboard
dependency-check
NoSuchMethodError: org.json.JSONObject.keySet()Ljava/util/Set in retirejs
In a Spring-Boot project and dependency-check-gradle, I get a NoSuchMethodError exception. Gradle 5.6.4, Java 8, macOS 10.15.x org.owasp:dependency-check-gradle:6.1.0
Caused by: org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions occurred during analysis:
InitializationException: Unexpected Exception
caused by NoSuchMethodError: org.json.JSONObject.keySet()Ljava/util/Set;
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:644)
at org.owasp.dependencycheck.Engine$analyzeDependencies$0.call(Unknown Source)
at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.analyze(AbstractAnalyze.groovy:89)
... 88 more
Reason: Gradle build environment dependency tree shows only one org.json.json dependency, but spring-boot-cli depends on android-json, and I think thats the problem, as they use a re-implementation of org.json.json for legal issues (see below).
+--- com.h3xstream.retirejs:retirejs-core:3.0.2
| | +--- org.json:json:20190722
| | +--- com.esotericsoftware:minlog:1.3.1
| | \--- com.github.spullara.mustache.java:compiler:0.9.6
\--- org.springframework.boot:spring-boot-cli:2.1.15.RELEASE
| | +--- org.springframework.boot:spring-boot-loader-tools:2.1.15.RELEASE
| | | +--- org.springframework:spring-core:5.1.16.RELEASE
| | | | \--- org.springframework:spring-jcl:5.1.16.RELEASE
| | | \--- org.apache.commons:commons-compress:1.18 -> 1.20
| | +--- com.vaadin.external.google:android-json:0.0.20131108.vaadin1
When disabling retirejs, it works.
Problem is that the license of org.json.json used by retirejs is seen as NON-FREE. Thats the reason why Spring and many other projects switched to a free implementation See https://wiki.debian.org/qa.debian.org/jsonevil
I recommended to the retirejs project to use a real free implementation instead as well. See https://github.com/h3xstream/burp-retire-js/issues/61
