Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix: correct reliability of Central etc (JCS cache) analyzers on Java 25/Docker by making CLI classpath deterministic #8117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 13, 2025
Merged

fix: correct reliability of Central etc (JCS cache) analyzers on Java 25/Docker by making CLI classpath deterministic #8117

merged 4 commits into from
Nov 13, 2025

Conversation

@chadlwilson
Copy link
Collaborator

@chadlwilson chadlwilson commented Nov 10, 2025
edited
Loading

Description of Change

  • Moves the JCS3 logging adapter setting into the single place that needs it - the DataCacheFactory.
    • Changes it to mute logging unless DataCacheFactory itself is set to TRACE logging. This effective mutes it everywhere by default.
    • This allows us to set the dependency in a deterministic place on the classpath; to ensure the Slf4jAdapter is discovered before the default JCS3 LogFactory providers, which is a workaround for the JDK 24+ issue https://bugs.openjdk.org/browse/JDK-8350481 , still not fixed as of 25.0.1.
  • changes the CLI to use an executable jar to start, which allows for a deterministic classpath; unlike using a wildcard lib dir
  • so that we can still allow the use of plugins (basically additional classpath entries), it registers the CLI jar with a rudimentary Java agent to append to the classpath before the main class is created

Ancillary changes

  • bake the Windows script template in source control, same as the Linux one
    • appassembler is EOL now, so there will be no more changes. We will need to find another solution at some point; perhaps jpackage or something - but this will do for now.

Related issues

Have test cases been added to cover the new functionality?

yes

Manually tested on

  • Docker image
  • MacOS - JDK 11 / 21 / 25
    • with and without trying to load an extra plugins jar
  • Windows 11
    • with and without trying to load an extra plugins jar

Additional detail

.sh diff:
image

.bat diff: (view word wrap on)
image

Manifest for CLI looks like the below (80 jars, same as in lib dir)

Manifest-Version: 1.0
Created-By: Maven JAR Plugin 3.4.2
Build-Jdk-Spec: 11
Class-Path: logback-core-1.2.13.jar logback-classic-1.2.13.jar commons-c
 li-1.10.0.jar dependency-check-core-12.1.9-SNAPSHOT.jar jdiagnostics-1.
 0.7.jar pecoff4j-0.0.2.1.jar jcs3-slf4j-1.0.5.jar commons-jcs3-core-3.2
 .1.jar packageurl-java-1.5.0.jar cpe-parser-3.0.0.jar semver4j-5.8.0.ja
 r commons-collections4-4.5.0.jar commons-compress-1.27.1.jar commons-co
 dec-1.19.0.jar commons-io-2.20.0.jar commons-lang3-3.19.0.jar commons-t
 ext-1.14.0.jar commons-dbcp2-2.13.0.jar commons-pool2-2.12.0.jar common
 s-logging-1.3.4.jar jakarta.transaction-api-1.3.3.jar lucene-core-9.12.
 3.jar lucene-analysis-common-9.12.3.jar lucene-queryparser-9.12.3.jar l
 ucene-queries-9.12.3.jar lucene-sandbox-9.12.3.jar lucene-facet-9.12.3.
 jar jul-to-slf4j-1.7.36.jar velocity-engine-core-2.4.1.jar h2-2.4.240.j
 ar jakarta.json-2.0.1.jar jsoup-1.21.2.jar jackson-databind-2.20.1.jar 
 jackson-datatype-jsr310-2.20.1.jar jackson-module-blackbird-2.20.1.jar 
 jackson-dataformat-yaml-2.20.1.jar snakeyaml-2.4.jar retirejs-core-3.0.
 4.jar compiler-0.9.6.jar ossindex-service-client-1.8.2.jar javax.inject
 -1.jar gson-2.9.0.jar jaxb-api-2.3.1.jar javax.activation-api-1.2.0.jar
  guava-33.5.0-jre.jar failureaccess-1.0.3.jar listenablefuture-9999.0-e
 mpty-to-avoid-conflict-with-guava.jar error_prone_annotations-2.41.0.ja
 r j2objc-annotations-3.1.jar toml4j-0.7.2.jar aho-corasick-double-array
 -trie-1.2.3.jar commons-validator-1.10.0.jar commons-digester-2.1.jar c
 ommons-collections-3.2.2.jar packager-rpm-0.21.0.jar packager-core-0.21
 .0.jar bcprov-jdk18on-1.78.jar bcpg-jdk18on-1.78.jar xz-1.9.jar httpcor
 e5-5.3.6.jar httpclient5-5.5.1.jar httpcore5-h2-5.3.6.jar jackson-core-
 2.20.1.jar jackson-annotations-2.20.jar package-url-java-1.2.0.jar joda
 -time-2.14.0.jar ossindex-service-api-1.8.2.jar javax.ws.rs-api-2.0.1.j
 ar minlog-1.3.1.jar android-json-0.0.20131108.vaadin1.jar dependency-ch
 eck-utils-12.1.9-SNAPSHOT.jar slf4j-api-1.7.36.jar open-vulnerability-c
 lients-7.3.2.jar jspecify-1.0.0.jar httpclient5-cache-5.4.3.jar jmustac
 he-1.16.jar ant-1.10.15.jar annotations-26.0.2-1.jar spotbugs-annotatio
 ns-4.9.8.jar jsr305-3.0.2.jar
Implementation-Title: Dependency-Check Command Line
Implementation-Version: 12.1.9-SNAPSHOT
Implementation-Vendor: OWASP
Main-Class: org.owasp.dependencycheck.App
Premain-Class: org.owasp.dependencycheck.PluginLoader

@boring-cyborg boring-cyborg bot added ant changes to ant cli changes to the cli core changes to core maven changes to the maven plugin tests test cases labels Nov 10, 2025
@chadlwilson chadlwilson requested a review from Copilot November 10, 2025 17:31
Copilot AI reviewed Nov 10, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes reliability issues with Central and other JCS cache analyzers on Java 25/Docker by making the CLI classpath deterministic. The key change is moving away from wildcard classpath usage to an executable JAR with a deterministic Class-Path manifest entry, ensuring the JCS3 SLF4J logging adapter is discovered before the default JCS3 LogFactory providers as a workaround for JDK-8350481.

  • Centralizes JCS3 logging adapter configuration in DataCacheFactory static initializer
  • Converts CLI to use executable JAR with deterministic classpath via manifest
  • Implements PluginLoader Java agent to enable plugin support by appending JARs to classpath before main class initialization

Reviewed Changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
core/src/main/java/org/owasp/dependencycheck/data/cache/DataCacheFactory.java Adds static initializer to configure JCS3 logging adapter, centralizing the configuration that was previously scattered across multiple entry points
core/src/main/java/org/owasp/dependencycheck/data/cache/DataCache.java Changes constructor visibility from public to package-private as it's only instantiated within the same package
core/pom.xml Reorders dependencies to place jcs3-slf4j before commons-jcs3-core for deterministic classpath ordering
maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java Removes JCS3 logging configuration now centralized in DataCacheFactory
maven/pom.xml Removes direct jcs3-slf4j dependency as it's now transitively included from core
cli/src/main/java/org/owasp/dependencycheck/App.java Removes JCS3 logging configuration now centralized in DataCacheFactory
cli/src/main/java/org/owasp/dependencycheck/PluginLoader.java New Java agent implementation for loading plugin JARs from a directory into the classpath
cli/src/test/java/org/owasp/dependencycheck/PluginLoaderTest.java Unit tests for the new PluginLoader agent
cli/src/main/resources/logback.xml Updates JCS logger name from jcs to jcs3 and changes level to FATAL
cli/src/main/conf/unixBinTemplate.sh Removes wildcard classpath handling to support deterministic JAR execution
cli/src/main/conf/windowsBinTemplate.bat New Windows batch script template with deterministic classpath support
cli/pom.xml Configures JAR manifest with Class-Path and Premain-Class entries, updates appassembler to use -jar execution, adds windowsScriptTemplate configuration
ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java Removes JCS3 logging configuration now centralized in DataCacheFactory
ant/pom.xml Removes direct jcs3-slf4j dependency as it's now transitively included from core

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@chadlwilson chadlwilson requested a review from Copilot November 11, 2025 04:40
@chadlwilson
fix: make JCS logging adapter configuration self-contained with DataC…
9eca5b4 
…acheFactory

- allows us to workaround dependency-check#8108
- makes API for `core` consistently SLF4J based
- debug logging derived from logger configuration for the DataCacheFactory itself

Signed-off-by: Chad Wilson <[email protected]>
Copilot finished reviewing on behalf of chadlwilson November 11, 2025 04:42
Copilot AI reviewed Nov 11, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 14 out of 14 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

chadlwilson added a commit to chadlwilson/dependency-check-gradle that referenced this pull request Nov 11, 2025
@chadlwilson
chore: remove unnecessary upstreamed JCS logging configuration
fa774bd 
dependency-check/DependencyCheck#8117 upstreams this configuration to dependency-check-core, so this is no longer necessary. It wasn't always working correctly/deterministically for some reason (possibly Gradle's internal use of slf4j?), so hopefully this addresses the situation more reliably for the Gradle plugin.
Signed-off-by: Chad Wilson <[email protected]>
@chadlwilson chadlwilson mentioned this pull request Nov 11, 2025
Merged
@chadlwilson
fix: Launch CLI from executable jar so we can ensure deterministic cl…
ba9d8ba 
…asspath ordering

- without using wildcards, avoids getting into Windows command length issues as in dependency-check#2062
- tidies the appassembler Windows launch script generation to use a template, similar to *nix systems
- adds a Java Agent plugin loading mechanism to be able to add additional "plugin" jars onto the classpath as before

Signed-off-by: Chad Wilson <[email protected]>
@chadlwilson chadlwilson added the docker Pull requests that update Docker code label Nov 11, 2025
@jeremylong
Copy link
Collaborator

jeremylong commented Nov 11, 2025

Thanks! I'm going to do a point release today. We'll include this in the upcoming feature release.

@jeremylong jeremylong added this to the 12.2.0 milestone Nov 11, 2025
@chadlwilson
Copy link
Collaborator Author

chadlwilson commented Nov 11, 2025
edited
Loading

Not sure if you read the linked issue, but right now the docker image is (non-deterministically) broken (varying probably due to the file system overlay and docker storage driver, along with architecture).

@chadlwilson
Copy link
Collaborator Author

chadlwilson commented Nov 11, 2025
edited
Loading

If you want to restore stability at lower risk you might want to downgrade back to Java 21. (raised #8124 if you want to do this) (edit: ahh ok, you already cut the 12.1.9 release)

@chadlwilson chadlwilson mentioned this pull request Nov 11, 2025
Closed
@jeremylong jeremylong merged commit aa885ab into dependency-check:main Nov 13, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jeremylong jeremylong jeremylong approved these changes

Assignees

No one assigned

Labels

ant changes to ant cli changes to the cli core changes to core docker Pull requests that update Docker code maven changes to the maven plugin tests test cases

Projects

None yet

Milestone

12.2.0

Development

Successfully merging this pull request may close these issues.

java.lang.ClassNotFoundException: org.apache.logging.log4j.message.MessageFactory

2 participants

@chadlwilson @jeremylong