We've recently updated our code to use the newer, 3.45.0, release of Redisson. To do so, we had to change to a different codec to avoid a reported vulnerability; specifically:

https://nvd.nist.gov/vuln/detail/CVE-2023-42809

In the CVE, it is recommended that we use a codec that requires class registration. Hence, we chose KryoCodec as the codec to use, since Kryo5Codec does not require registration (again, see the CVE which specifically recommends against Kryo5Codec). Upon implementing it, we realized that we needed to register the class java.net.URI or else the underlying Kryo would complain about unregistered data being stored. Specifically, in via Redisson, we store a SortedSet of URI instances that contains the location of outputs from an evaluation.

Upon doing so, we discovered that, when the output URI is deserialized (i.e., obtained from the SortedSet after being placed inside of it), the URI string is correct, but none of the transient fields, such as path, are available.

Here is how the codec is initialized:

        List<Class<?>> registeredClasses = new ArrayList<>();
        registeredClasses.add(wres.tasker.JobMetadata.JobState.class);
        registeredClasses.add(org.redisson.RedissonReference.class);
        registeredClasses.add(URI.class);
        KryoCodec kryo = new KryoCodec(registeredClasses);

Here is how we declared the outputs variable:

    @RCascade( RCascadeType.ALL )
    private SortedSet<URI> outputs;

If we add a URI to outputs and then immediately print all outputs, we see that that URI's toString looks good, but the path (i.e., getPath or getRawPath) is null. It appears that whatever serializer is used when we register URI, its not restoring the transient fields upon deserializing.

For a discussion of our investigation, you can refer to our ticket in here; it should be publicly visible. If anyone has any tips for how to make this work, we'd appreciate it. Thanks!