Spring Boot 3.2.0 with Hibernate 6.4 reports ANTLR version mismatch

[maurice85]

Hibernate 6.4.0.Final uses antlr4 version 4.13.0 but spring-boot-starter-data-jpa 3.2.0 still uses antlr4 version 4.10.1. This causes the warning message

ANTLR Tool version 4.13.0 used for code generation does not match the current runtime version 4.10.1.

I've resolved this problem by excluding the dependency 4.10.1 from spring-boot-starter-data-jpa 3.2.0 and explicitly adding antlr 4.13.0 with

<dependency>
    <groupId>org.antlr</groupId>
    <artifactId>antlr4-runtime</artifactId>
    <version>4.13.0</version>
    <scope>runtime</scope>
</dependency>

However because the version is hardcoded in org.data.jpa.repository.query.HqlLexer and other jpa classes that use RuntimeMetaData.checkVersion(); I still get the same warning during application startup.

Please make spring boot jpa use antlr4 4.13.0 and update the hardcoded string "4.10.1" to "4.13.0"

[mp911de]

This is essentially a part of #3239. A few things come together. Both, Hibernate and Spring Data use ANTLR and ANTLR tooling generates the classes containing the version check that you've discovered.

With Hibernate being managed by Spring Boot while the ANTLR version being pulled in by Spring Data JPA, there are a few components that could introduce a skew in versions (e.g. if Spring Data JPA builds against a Hibernate service release different than Spring Boot and that service release uses a different version than Spring Data JPA).

Also, these version checks introduce an entirely different problem. In the case of a CVE in ANTLR, you would most likely switch to a fixed version while Hibernate or Spring Data are on a different release cadence causing the warning to become visible again.