Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

An illegal reflective access operation has occurred #2793

Closed
OrangeDog opened this issue Sep 7, 2020 · 19 comments
Closed

An illegal reflective access operation has occurred #2793

OrangeDog opened this issue Sep 7, 2020 · 19 comments
Labels
bug dependencies

Comments

@OrangeDog
Copy link

Describe the bug
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.fasterxml.jackson.module.afterburner.util.MyClassLoader (file:/C:/Users/me/.m2/repository/com/fasterxml/jackson/module/jackson-module-afterburner/2.11.2/jackson-module-afterburner-2.11.2.jar) to method java.lang.ClassLoader.findLoadedClass(java.lang.String)
WARNING: Please consider reporting this to the maintainers of com.fasterxml.jackson.module.afterburner.util.MyClassLoader
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

Version of dependency-check used
The problem occurs using version 6.0.0 of the maven plugin

To Reproduce
Steps to reproduce the behavior:

  1. Run on JDK 9+

Expected behavior
No warnings about reflective access violations

Additional context
Upstream issue: FasterXML/jackson-modules-base#37

Options:

  • Don't use afterburner
  • Use blackbird instead (e.g. with a profile activation)
  • Tell everyone to ignore it until afterburner fixes it
@OrangeDog OrangeDog added the bug label Sep 7, 2020
@migueldolomandin
Copy link

This happens intermittently too using the latest docker image
https://hub.docker.com/r/owasp/dependency-check

@jeremylong
Copy link
Owner

We will upgrade the library when it is available. However, this issue is from a dependency: FasterXML/jackson-modules-base#37

@calebwhitt
Copy link

Is there a way to get round this issue in the meantime? It seems the issue with the dependency is ongoing... I too am getting this error when using the latest docker image

@jeremylong
Copy link
Owner

I've run scans using the latest docker image and do not see the warning. @calebwhitt to be clear - this is a warning not an error.

Disabling afterburner had an impact in some very quick tests I ran of ~10-15 seconds in the update process... We can't use blackbird as we still support Java 8. For now - I'm okay with ignoring the warning... However, we will continue to monitor...

@OrangeDog
Copy link
Author

It'll only come up if it actually does some JSON processing. Purge the database to guarantee reproduction.

Is it possible to do a layered jar or something in the plugin definition so Java 8 uses Afterburner and 9+ uses Blackbird?

@calebwhitt
Copy link

@jeremylong apologies yes, this is a warning rather than an error. The warning appears consistently for me because I am using the Docker SDK for Python to execute the dependency-check. How are we able to suppress this warning?

@OrangeDog
Copy link
Author

@calebwhitt to suppress it, you need to start the JVM with options to allow that specific module reflection:
Oracle JDK Migration Guide - Understanding Runtime Access Warnings

@benjsmi
Copy link

benjsmi commented Jun 3, 2021

Having the same problem with

$ java -version
java version "1.8.0_251"
Java(TM) SE Runtime Environment (build 1.8.0_251-b08)
Java HotSpot(TM) 64-Bit Server VM (build 25.251-b08, mixed mode)

On Mac OSX.

I think it'd be best to either resolve this issue with changes from FasterXML and/or make the suppression that's required be automatically included in the launch script.

@OrangeDog
Copy link
Author

@benjsmi it is impossible to get this warning in 1.8, as it doesn't have modules.

@vijaya-lakshmi-venkatraman
Copy link

I face this issue too
Dep check - Version 6.1.6
Java

java 11.0.11 2021-04-20 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.11+9-LTS-194)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.11+9-LTS-194, mixed mode)

@proo4509
Copy link

same issue version 6.2.1
java version "15.0.1" 2020-10-20
Java(TM) SE Runtime Environment (build 15.0.1+9-18)
Java HotSpot(TM) 64-Bit Server VM (build 15.0.1+9-18, mixed mode, sharing)

@jeremylong
Copy link
Owner

As stated previously when the dependencies are available to resolve the warning we will upgrade. However, we are waiting a solution in the faster xml afterburner library.

That being said - this is a warning that can, at the moment, be safely ignored.

@OrangeDog
Copy link
Author

OrangeDog commented Oct 7, 2021
edited

Just to note that with Java 17 (the new LTS) this is now an error.
The --add-opens option will still work to remove it.

However, it doesn't actually happen when you run it, so I guess it's just ignored or avoided internally (afterburner catches the exception or something).

A full purge run took 1:27 on Java 17 and 1:26 on Java 11, so any speed-up seems to be irrelevant anyway.

@hoerup
Copy link

hoerup commented Oct 7, 2021

Blackbird is available since 2.12.0

https://github.com/FasterXML/jackson-modules-base/blob/2.13/release-notes/VERSION-2.x

https://github.com/FasterXML/jackson-modules-base/tree/2.13/blackbird

@brentil
Copy link

brentil commented Mar 1, 2022

I'm seeing this error with the new Dependency Check 7.0.0 on Java 11.0.14.

@SingingBush
Copy link
Contributor

This is still a problem when running check on the latest dependency-check-maven 7.0.1:

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.fasterxml.jackson.module.afterburner.util.MyClassLoader (file:/C:/Users/USERNAME/.m2/repository/com/fasterxml/jackson/module/jackson-module-afterburner/2.13.2/jackson-module-afterburner-2.13.2.jar) to method java.lang.ClassLoader.findLoadedClass(java.lang.String)
WARNING: Please consider reporting this to the maintainers of com.fasterxml.jackson.module.afterburner.util.MyClassLoader
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

It's worth looking at swapping detecting the java version and using Afterburner when running on older versions or using Blackbird when running on JDK 11 or above.

https://github.com/FasterXML/jackson-modules-base/tree/master/blackbird

@pk27734
Copy link

pk27734 commented Sep 15, 2022
edited

I'm also seeing this in Dependency-Check Core version 7.2.0 in the Azure DevOps 'OWASP Dependency Check' task.

@pmsmm
Copy link

pmsmm commented Oct 3, 2022

@jeremylong Sorry to be bothering with this but, since Java 17 is something people are starting to slowly migrate to, is there any forecast to when the DependencyCheck plugin will have this issue solved without us having to resort to the --add-opens flag?

Thank you in advance for any answer and keep up the amazing work on this plugin.

@jeremylong jeremylong mentioned this issue Oct 5, 2022
Merged
@jeremylong
Copy link
Owner

Thanks for ping me on this one: #4905

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug dependencies
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
13 participants
@pk27734 @brentil @OrangeDog @hoerup @jeremylong @SingingBush @benjsmi @pmsmm @proo4509 @calebwhitt @migueldolomandin @vijaya-lakshmi-venkatraman and others