DependencyCheck
DependencyCheck copied to clipboard
jeremylong
An illegal reflective access operation has occurred
Describe the bug WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by com.fasterxml.jackson.module.afterburner.util.MyClassLoader (file:/C:/Users/me/.m2/repository/com/fasterxml/jackson/module/jackson-module-afterburner/2.11.2/jackson-module-afterburner-2.11.2.jar) to method java.lang.ClassLoader.findLoadedClass(java.lang.String) WARNING: Please consider reporting this to the maintainers of com.fasterxml.jackson.module.afterburner.util.MyClassLoader WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release
Version of dependency-check used The problem occurs using version 6.0.0 of the maven plugin
To Reproduce Steps to reproduce the behavior:
- Run on JDK 9+
Expected behavior No warnings about reflective access violations
Additional context Upstream issue: https://github.com/FasterXML/jackson-modules-base/issues/37
Options:
- Don't use afterburner
- Use blackbird instead (e.g. with a profile activation)
- Tell everyone to ignore it until afterburner fixes it
This happens intermittently too using the latest docker image https://hub.docker.com/r/owasp/dependency-check
We will upgrade the library when it is available. However, this issue is from a dependency: https://github.com/FasterXML/jackson-modules-base/issues/37
Is there a way to get round this issue in the meantime? It seems the issue with the dependency is ongoing... I too am getting this error when using the latest docker image
I've run scans using the latest docker image and do not see the warning. @calebwhitt to be clear - this is a warning not an error.
Disabling afterburner had an impact in some very quick tests I ran of ~10-15 seconds in the update process... We can't use blackbird as we still support Java 8. For now - I'm okay with ignoring the warning... However, we will continue to monitor...
It'll only come up if it actually does some JSON processing. Purge the database to guarantee reproduction.
Is it possible to do a layered jar or something in the plugin definition so Java 8 uses Afterburner and 9+ uses Blackbird?
@jeremylong apologies yes, this is a warning rather than an error. The warning appears consistently for me because I am using the Docker SDK for Python to execute the dependency-check. How are we able to suppress this warning?
@calebwhitt to suppress it, you need to start the JVM with options to allow that specific module reflection: Oracle JDK Migration Guide - Understanding Runtime Access Warnings
Having the same problem with
$ java -version
java version "1.8.0_251"
Java(TM) SE Runtime Environment (build 1.8.0_251-b08)
Java HotSpot(TM) 64-Bit Server VM (build 25.251-b08, mixed mode)
On Mac OSX.
I think it'd be best to either resolve this issue with changes from FasterXML and/or make the suppression that's required be automatically included in the launch script.
@benjsmi it is impossible to get this warning in 1.8, as it doesn't have modules.
I face this issue too Dep check - Version 6.1.6 Java
java 11.0.11 2021-04-20 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.11+9-LTS-194)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.11+9-LTS-194, mixed mode)
same issue version 6.2.1 java version "15.0.1" 2020-10-20 Java(TM) SE Runtime Environment (build 15.0.1+9-18) Java HotSpot(TM) 64-Bit Server VM (build 15.0.1+9-18, mixed mode, sharing)
As stated previously when the dependencies are available to resolve the warning we will upgrade. However, we are waiting a solution in the faster xml afterburner library.
That being said - this is a warning that can, at the moment, be safely ignored.
Just to note that with Java 17 (the new LTS) this is now an error.
The --add-opens option will still work to remove it.
However, it doesn't actually happen when you run it, so I guess it's just ignored or avoided internally (afterburner catches the exception or something).
A full purge run took 1:27 on Java 17 and 1:26 on Java 11, so any speed-up seems to be irrelevant anyway.
Blackbird is available since 2.12.0
https://github.com/FasterXML/jackson-modules-base/blob/2.13/release-notes/VERSION-2.x
https://github.com/FasterXML/jackson-modules-base/tree/2.13/blackbird
This is still a problem when running check on the latest dependency-check-maven 7.0.1:
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.fasterxml.jackson.module.afterburner.util.MyClassLoader (file:/C:/Users/USERNAME/.m2/repository/com/fasterxml/jackson/module/jackson-module-afterburner/2.13.2/jackson-module-afterburner-2.13.2.jar) to method java.lang.ClassLoader.findLoadedClass(java.lang.String)
WARNING: Please consider reporting this to the maintainers of com.fasterxml.jackson.module.afterburner.util.MyClassLoader
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
It's worth looking at swapping detecting the java version and using Afterburner when running on older versions or using Blackbird when running on JDK 11 or above.
https://github.com/FasterXML/jackson-modules-base/tree/master/blackbird
I'm also seeing this in Dependency-Check Core version 7.2.0 in the Azure DevOps 'OWASP Dependency Check' task.
@jeremylong Sorry to be bothering with this but, since Java 17 is something people are starting to slowly migrate to, is there any forecast to when the DependencyCheck plugin will have this issue solved without us having to resort to the --add-opens flag?
Thank you in advance for any answer and keep up the amazing work on this plugin.
Thanks for ping me on this one: https://github.com/jeremylong/DependencyCheck/pull/4905