Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow runtime compatibility for snakeyaml 2.0 #12950

Closed
ahormazabal opened this issue Apr 10, 2023 · 4 comments
Closed

Allow runtime compatibility for snakeyaml 2.0 #12950

ahormazabal opened this issue Apr 10, 2023 · 4 comments
Assignees
@guillermocalvo

Comments

@ahormazabal
Copy link

ahormazabal commented Apr 10, 2023
edited
Loading

Expected Behavior

Due to CVE-2022-1471, we need to upgrade to snakeyaml 2.0, however it's not yet supported by Grails 5.3.2
This has already been addressed by spring and spring-boot, however we're still blocked by grails to be able to fully upgrade.

We don't expect grails dependencies to be upgraded to snakeyaml 2.0, but at least it should support it in runtime, an approach taken by latest spring-boot 2.7.10.

Actual Behaviour

If we attempt to use snakeyaml 2.0 as dependency, gsp compiling fails with the following error:

Exception in thread "main" java.lang.NullPointerException: LoaderOptions must be provided.
	at org.yaml.snakeyaml.constructor.BaseConstructor.<init>(BaseConstructor.java:118)
	at org.yaml.snakeyaml.constructor.SafeConstructor.<init>(SafeConstructor.java:53)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at org.codehaus.groovy.reflection.CachedConstructor.invoke(CachedConstructor.java:72)
	at org.codehaus.groovy.reflection.CachedConstructor.doConstructorInvoke(CachedConstructor.java:59)
	at org.codehaus.groovy.runtime.callsite.ConstructorSite.callConstructor(ConstructorSite.java:45)
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallConstructor(CallSiteArray.java:59)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:263)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:268)
	at org.grails.config.CodeGenConfig.loadYml(CodeGenConfig.groovy:157)
	at org.grails.config.CodeGenConfig$_loadYml_closure1.doCall(CodeGenConfig.groovy:133)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:107)
	at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323)
	at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:274)
	at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1035)
	at groovy.lang.Closure.call(Closure.java:412)
	at groovy.lang.Closure.call(Closure.java:428)
	at org.codehaus.groovy.runtime.IOGroovyMethods.withStream(IOGroovyMethods.java:1184)
	at org.codehaus.groovy.runtime.ResourceGroovyMethods.withInputStream(ResourceGroovyMethods.java:1882)
	at org.grails.config.CodeGenConfig.loadYml(CodeGenConfig.groovy:132)
	at org.grails.gsp.compiler.GroovyPageCompiler.compile(GroovyPageCompiler.groovy:93)
	at org.grails.web.pages.GroovyPageCompilerForkTask.compile(GroovyPageCompilerForkTask.groovy:102)
	at org.grails.web.pages.GroovyPageCompilerForkTask.run(GroovyPageCompilerForkTask.groovy:155)
	at org.grails.web.pages.GroovyPageCompilerForkTask.main(GroovyPageCompilerForkTask.groovy:106)

Steps To Reproduce

This error is reproduced by attempting to compile GSP pages while snakeyaml 2.0 is a dependency of the compiling application.

Environment Information

  • Operating System: Replicated on macOS and Ubuntu 20.
  • JDK Version: openjdk version "11.0.18" 2023-01-17
  • Grails 5.3.2
  • Spring 5.3.26
  • Spring boot 2.7.10
  • snakeyaml 2.0

Example Application

No response

Version

5.3.2
@mitushy
Copy link

mitushy commented Apr 13, 2023

@puneetbehl it may be something already on you radar, but I think we can release Grails 5.3.3 by bumping these dependencies:

snakeyaml/2.0
spring boot/2.7.10 (patched spring-projects/spring-boot#34405)
spring/5.3.26 (patched spring-projects/spring-framework#30097)
micronaut/3.8.8 (patched in 3.8.7 micronaut-projects/micronaut-core#8905)

From my local tests, these dependencies work well together.

This is valid for the 6.x branch as well - you can probably re-revert #12921 if the other deps are updated.

@ahormazabal
Copy link
Author

Hi @puneetbehl
We at the Rundeck team have been closely looking at this issue, which is preventing us from achieving several compliance paths. We're happy to see that snakeyaml 2.0 has been included in Grails 6.0 release path, and are looking including this upgrade into our development path, however we don't look at it as a short term solution.

Would it be possible to get a solution that would allow us to use Grails 5.3 together with snakeyaml 2.0? We don't really need grails to be upgraded to include that version, but at least need the constructor signature used to be changed so we could make the upgrade on our side, in pretty much the same strategy adopted by the spring team in the referenced links.

We really hope we could get the help from the Grails team on this, many thanks!

@guillermocalvo
Copy link
Contributor

Fixed by:

@AmmarRami
Copy link

Hello,

I have the same problem with jenkins server version 2.401.3 running with java 11.0.21. When I upgraded all plugins to last version I am not capable to launch kubernetes agent. My agent is a pod created via a yaml stream. This yaml stream il maked with MargeYaml groovy script wich use snakeYaml version 1.25.
When he launch agent I have this error: java.lang.NullPointerException: LoaderOptions must be provided
When I see the tag 1.25 of the groovy library I constat that the constructor SafeConstructor don't have LoaderOptions instance param.
So, I upgraded my grappe dependencies in my yaml file --> @grab(group='org.yaml', module='snakeyaml', version='2.0') but my groovy bin don't understand any groovy library and I have these errors:

2024-01-11_11-21-24 Also: org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: d6252710-3d31-488c-b7c0-6839ef4acc0f
2024-01-11_11-21-24 org.jenkinsci.plugins.workflow.cps.CpsCompilationErrorsException: startup failed:
2024-01-11_11-21-24 General error during conversion: Error grabbing Grapes -- [unresolved dependency: org.yaml#snakeyaml;2.0: not found, unresolved dependency: org.apache.commons#commons-lang3;3.14.0: not found, unresolved dependency: org.postgresql#postgresql;42.3.1: not found, unresolved dependency: org.apache.commons#commons-lang3;3.6: not found]
2024-01-11_11-21-24
2024-01-11_11-21-24 java.lang.RuntimeException: Error grabbing Grapes -- [unresolved dependency: org.yaml#snakeyaml;2.0: not found, unresolved dependency: org.apache.commons#commons-lang3;3.14.0: not found, unresolved dependency: org.postgresql#postgresql;42.3.1: not found, unresolved dependency: org.apache.commons#commons-lang3;3.6: not found]

Can you help me to resolve this problem please?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@guillermocalvo guillermocalvo

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@guillermocalvo @ahormazabal @mitushy @AmmarRami