SpotBugs 4.8.1 fails parsing filter files in Spring Boot projects with NoSuchMethodError: Range.of(Comparable, Comparable)

[josephearl]

SpotBugs 4.8.1 fails to parse filter files in projects with Spring Boot which worked with SpotBugs 4.8.0.

Minimal reproducer: https://github.com/josephearl/spotbugs-spring-boot-filter-repro

Error:

> Task :spotbugsMain FAILED
Exception in thread "main" java.lang.NoSuchMethodError: 'org.apache.commons.lang3.Range org.apache.commons.lang3.Range.of(java.lang.Comparable, java.lang.Comparable)'
        at org.apache.commons.text.translate.NumericEntityEscaper.<init>(NumericEntityEscaper.java:97)
        at org.apache.commons.text.translate.NumericEntityEscaper.between(NumericEntityEscaper.java:59)
        at org.apache.commons.text.StringEscapeUtils.<clinit>(StringEscapeUtils.java:271)
        at edu.umd.cs.findbugs.util.Strings.unescapeXml(Strings.java:295)
        at edu.umd.cs.findbugs.SAXBugCollectionHandler.getRequiredAttribute(SAXBugCollectionHandler.java:804)
        at edu.umd.cs.findbugs.SAXBugCollectionHandler.parseMatcher(SAXBugCollectionHandler.java:452)
        at edu.umd.cs.findbugs.SAXBugCollectionHandler.startElement(SAXBugCollectionHandler.java:340)
        at java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:518)
        at java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXMLDocumentParser.java:183)
        at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1387)
        at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2726)
        at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:605)
        at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:542)
        at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:889)
        at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:825)
        at java.xml/com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
        at java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1224)
        at java.xml/com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:637)
        at edu.umd.cs.findbugs.filter.Filter.parse(Filter.java:234)
        at edu.umd.cs.findbugs.filter.Filter.parse(Filter.java:208)
        at edu.umd.cs.findbugs.filter.Filter.<init>(Filter.java:133)
        at edu.umd.cs.findbugs.FindBugs.configureFilter(FindBugs.java:471)
        at edu.umd.cs.findbugs.FindBugs2.addFilter(FindBugs2.java:404)
        at edu.umd.cs.findbugs.FindBugs2.configureFilters(FindBugs2.java:551)
        at edu.umd.cs.findbugs.FindBugs2.setUserPreferences(FindBugs2.java:505)
        at edu.umd.cs.findbugs.TextUICommandLine.configureEngine(TextUICommandLine.java:723)
        at edu.umd.cs.findbugs.FindBugs.processCommandLine(FindBugs.java:359)
        at edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1221)

Expected: SpotBugs 4.8.1 can parse filter files in projects with Spring Boot as 4.8.0 was able to

[gtoison]

The error seems to be due to using mismatched versions of commons-text and commons-lang3.
commons:commons-text:1.11.0 requires commons-lang3:3.13.0 so this renovate commit seems fine 0ed9c56

I tried reproducing the problem in SpotBugs but it worked for me and the zip distribution also has the correct versions.

@hazendaz I wonder if the transitive dependencies might be different in the gradle plugin (it needs to be using commons-lang3:3.13.0).

[josephearl]

4.8.1 works fine in other projects not using Spring Boot, like a Quarkus project

[gtoison]

On the SpotBugs project the dependency tree is:

> gradlew -q :spotbugs:dependencies

runtimeClasspath - Runtime classpath of source set 'main'.
+--- org.ow2.asm:asm:9.6
+--- org.ow2.asm:asm-analysis:9.6
|    \--- org.ow2.asm:asm-tree:9.6
|         \--- org.ow2.asm:asm:9.6
+--- org.ow2.asm:asm-commons:9.6
|    +--- org.ow2.asm:asm:9.6
|    \--- org.ow2.asm:asm-tree:9.6 (*)
+--- org.ow2.asm:asm-tree:9.6 (*)
+--- org.ow2.asm:asm-util:9.6
|    +--- org.ow2.asm:asm:9.6
|    +--- org.ow2.asm:asm-tree:9.6 (*)
|    \--- org.ow2.asm:asm-analysis:9.6 (*)
+--- org.apache.bcel:bcel:6.6.1
|    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.13.0
+--- com.github.stephenc.jcip:jcip-annotations:1.0-1
+--- org.dom4j:dom4j:2.1.4
+--- org.apache.commons:commons-lang3:3.13.0
+--- org.apache.commons:commons-text:1.11.0
|    \--- org.apache.commons:commons-lang3:3.13.0
+--- org.slf4j:slf4j-api:2.0.9
+--- project :spotbugs-annotations
|    +--- com.google.code.findbugs:jsr305:3.0.2
|    \--- org.apache.logging.log4j:log4j-core:{strictly [2.17.1, 3[} -> 2.21.1 (c)
+--- com.google.code.gson:gson:2.10.1
+--- jaxen:jaxen:2.0.0
+--- net.sf.saxon:Saxon-HE:12.3
|    \--- org.xmlresolver:xmlresolver:5.2.0
|         +--- org.apache.httpcomponents.client5:httpclient5:5.1.3
|         |    +--- org.apache.httpcomponents.core5:httpcore5:5.1.3
|         |    +--- org.apache.httpcomponents.core5:httpcore5-h2:5.1.3
|         |    |    \--- org.apache.httpcomponents.core5:httpcore5:5.1.3
|         |    +--- org.slf4j:slf4j-api:1.7.25 -> 2.0.9
|         |    \--- commons-codec:commons-codec:1.15
|         \--- org.apache.httpcomponents.core5:httpcore5:5.1.3
+--- org.apache.logging.log4j:log4j-core:2.21.1
|    \--- org.apache.logging.log4j:log4j-api:2.21.1
\--- org.apache.logging.log4j:log4j-core:{strictly [2.17.1, 3[} -> 2.21.1 (c)

but in your reproducer it is:

spotbugs - configuration for the SpotBugs engine
\--- com.github.spotbugs:spotbugs:4.8.1
     +--- jaxen:jaxen:2.0.0
     +--- net.sf.saxon:Saxon-HE:12.3
     |    \--- org.xmlresolver:xmlresolver:5.2.0
     |         +--- org.apache.httpcomponents.client5:httpclient5:5.1.3 -> 5.2.1
     |         |    +--- org.apache.httpcomponents.core5:httpcore5:5.2 -> 5.2.3
     |         |    +--- org.apache.httpcomponents.core5:httpcore5-h2:5.2 -> 5.2.3
     |         |    |    \--- org.apache.httpcomponents.core5:httpcore5:5.2.3
     |         |    \--- org.slf4j:slf4j-api:1.7.36 -> 2.0.9
     |         \--- org.apache.httpcomponents.core5:httpcore5:5.1.3 -> 5.2.3
     +--- org.apache.logging.log4j:log4j-core:2.21.1 -> 2.20.0
     |    \--- org.apache.logging.log4j:log4j-api:2.20.0
     +--- org.ow2.asm:asm:9.6
     +--- org.ow2.asm:asm-analysis:9.6
     |    \--- org.ow2.asm:asm-tree:9.6
     |         \--- org.ow2.asm:asm:9.6
     +--- org.ow2.asm:asm-commons:9.6
     |    +--- org.ow2.asm:asm:9.6
     |    \--- org.ow2.asm:asm-tree:9.6 (*)
     +--- org.ow2.asm:asm-tree:9.6 (*)
     +--- org.ow2.asm:asm-util:9.6
     |    +--- org.ow2.asm:asm:9.6
     |    +--- org.ow2.asm:asm-tree:9.6 (*)
     |    \--- org.ow2.asm:asm-analysis:9.6 (*)
     +--- org.apache.bcel:bcel:6.6.1
     |    \--- org.apache.commons:commons-lang3:3.12.0
     +--- com.github.stephenc.jcip:jcip-annotations:1.0-1
     +--- org.dom4j:dom4j:2.1.4
     +--- org.apache.commons:commons-lang3:3.13.0 -> 3.12.0
     +--- org.apache.commons:commons-text:1.11.0
     |    \--- org.apache.commons:commons-lang3:3.13.0 -> 3.12.0
     +--- org.slf4j:slf4j-api:2.0.9
     +--- com.github.spotbugs:spotbugs-annotations:4.8.1
     |    +--- com.google.code.findbugs:jsr305:3.0.2
     |    \--- org.apache.logging.log4j:log4j-core:{strictly [2.17.1, 3[} -> 2.20.0 (c)
     +--- com.google.code.gson:gson:2.10.1
     \--- org.apache.logging.log4j:log4j-core:{strictly [2.17.1, 3[} -> 2.20.0 (c)

So commons-text is downgraded: org.apache.commons:commons-lang3:3.13.0 -> 3.12.0

My understanding is that (unlike Maven) Gradle resolves conflicts by picking the highest version but that's not the case here.
Do you know if Spring might be altering the default version conflict resolution?

In the meantime I think we should revert to using commons-text:1.10.0

[hazendaz]

Will look more closely tonight. I don't think reverting is necessary. Spring boot is always heavy handed on purpose. What's broke now naturally won't in weeks. These things happen and they generally say override it if an issue. What happens if the reproducer has commons Lang added directly? Does that not just solve it? I know that always works easily enough with maven. Not sure with gradle but this isn't first override concern need. Anyways will look more closely tonight and given spring boot complexities we probably should incorporate that into the gradle plugin tests to avoid any potential needs for consumer overrides. Sent from my Verizon, Samsung Galaxy smartphone Get Outlook for Android<https://aka.ms/AAb9ysg>

________________________________ From: Guillaume Toison ***@***.***> Sent: Wednesday, November 8, 2023 8:44:07 AM To: spotbugs/spotbugs ***@***.***> Cc: Jeremy Landis ***@***.***>; Mention ***@***.***> Subject: Re: [spotbugs/spotbugs] SpotBugs 4.8.1 fails parsing filter files in Spring Boot projects with NoSuchMethodError: Range.of(Comparable, Comparable) (Issue #2686) On the SpotBugs project the dependency tree is:

gradlew -q :spotbugs:dependencies

runtimeClasspath - Runtime classpath of source set 'main'. +--- org.ow2.asm:asm:9.6 +--- org.ow2.asm:asm-analysis:9.6 | \--- org.ow2.asm:asm-tree:9.6 | \--- org.ow2.asm:asm:9.6 +--- org.ow2.asm:asm-commons:9.6 | +--- org.ow2.asm:asm:9.6 | \--- org.ow2.asm:asm-tree:9.6 (*) +--- org.ow2.asm:asm-tree:9.6 (*) +--- org.ow2.asm:asm-util:9.6 | +--- org.ow2.asm:asm:9.6 | +--- org.ow2.asm:asm-tree:9.6 (*) | \--- org.ow2.asm:asm-analysis:9.6 (*) +--- org.apache.bcel:bcel:6.6.1 | \--- org.apache.commons:commons-lang3:3.12.0 -> 3.13.0 +--- com.github.stephenc.jcip:jcip-annotations:1.0-1 +--- org.dom4j:dom4j:2.1.4 +--- org.apache.commons:commons-lang3:3.13.0 +--- org.apache.commons:commons-text:1.11.0 | \--- org.apache.commons:commons-lang3:3.13.0 +--- org.slf4j:slf4j-api:2.0.9 +--- project :spotbugs-annotations | +--- com.google.code.findbugs:jsr305:3.0.2 | \--- org.apache.logging.log4j:log4j-core:{strictly [2.17.1, 3[} -> 2.21.1 (c) +--- com.google.code.gson:gson:2.10.1 +--- jaxen:jaxen:2.0.0 +--- net.sf.saxon:Saxon-HE:12.3 | \--- org.xmlresolver:xmlresolver:5.2.0 | +--- org.apache.httpcomponents.client5:httpclient5:5.1.3 | | +--- org.apache.httpcomponents.core5:httpcore5:5.1.3 | | +--- org.apache.httpcomponents.core5:httpcore5-h2:5.1.3 | | | \--- org.apache.httpcomponents.core5:httpcore5:5.1.3 | | +--- org.slf4j:slf4j-api:1.7.25 -> 2.0.9 | | \--- commons-codec:commons-codec:1.15 | \--- org.apache.httpcomponents.core5:httpcore5:5.1.3 +--- org.apache.logging.log4j:log4j-core:2.21.1 | \--- org.apache.logging.log4j:log4j-api:2.21.1 \--- org.apache.logging.log4j:log4j-core:{strictly [2.17.1, 3[} -> 2.21.1 (c) but in your reproducer it is: spotbugs - configuration for the SpotBugs engine \--- com.github.spotbugs:spotbugs:4.8.1 +--- jaxen:jaxen:2.0.0 +--- net.sf.saxon:Saxon-HE:12.3 | \--- org.xmlresolver:xmlresolver:5.2.0 | +--- org.apache.httpcomponents.client5:httpclient5:5.1.3 -> 5.2.1 | | +--- org.apache.httpcomponents.core5:httpcore5:5.2 -> 5.2.3 | | +--- org.apache.httpcomponents.core5:httpcore5-h2:5.2 -> 5.2.3 | | | \--- org.apache.httpcomponents.core5:httpcore5:5.2.3 | | \--- org.slf4j:slf4j-api:1.7.36 -> 2.0.9 | \--- org.apache.httpcomponents.core5:httpcore5:5.1.3 -> 5.2.3 +--- org.apache.logging.log4j:log4j-core:2.21.1 -> 2.20.0 | \--- org.apache.logging.log4j:log4j-api:2.20.0 +--- org.ow2.asm:asm:9.6 +--- org.ow2.asm:asm-analysis:9.6 | \--- org.ow2.asm:asm-tree:9.6 | \--- org.ow2.asm:asm:9.6 +--- org.ow2.asm:asm-commons:9.6 | +--- org.ow2.asm:asm:9.6 | \--- org.ow2.asm:asm-tree:9.6 (*) +--- org.ow2.asm:asm-tree:9.6 (*) +--- org.ow2.asm:asm-util:9.6 | +--- org.ow2.asm:asm:9.6 | +--- org.ow2.asm:asm-tree:9.6 (*) | \--- org.ow2.asm:asm-analysis:9.6 (*) +--- org.apache.bcel:bcel:6.6.1 | \--- org.apache.commons:commons-lang3:3.12.0 +--- com.github.stephenc.jcip:jcip-annotations:1.0-1 +--- org.dom4j:dom4j:2.1.4 +--- org.apache.commons:commons-lang3:3.13.0 -> 3.12.0 +--- org.apache.commons:commons-text:1.11.0 | \--- org.apache.commons:commons-lang3:3.13.0 -> 3.12.0 +--- org.slf4j:slf4j-api:2.0.9 +--- com.github.spotbugs:spotbugs-annotations:4.8.1 | +--- com.google.code.findbugs:jsr305:3.0.2 | \--- org.apache.logging.log4j:log4j-core:{strictly [2.17.1, 3[} -> 2.20.0 (c) +--- com.google.code.gson:gson:2.10.1 \--- org.apache.logging.log4j:log4j-core:{strictly [2.17.1, 3[} -> 2.20.0 (c) So commons-text is downgraded: org.apache.commons:commons-lang3:3.13.0 -> 3.12.0 My understanding is that (unlike Maven) Gradle resolves conflicts by picking the highest version but that's not the case here. Do you know if Spring might be altering the default version conflict resolution? In the meantime I think we should revert to using commons-text:1.10.0 — Reply to this email directly, view it on GitHub<#2686 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAHODI2RIHPF6P4JVLKQKULYDOECPAVCNFSM6AAAAAA7CNVBSWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMBRHEYTSNJTGA>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[gtoison]

I made a PR to revert right before seeing your message

[hazendaz]

I made a PR to revert right before seeing your message

No worries. I didn't get time to look at this one tonight so I'll try again tomorrow night. I sort of expect we do another release by sometime next week. I opened a discussion on that.

[josephearl]

Any update on this? 🙏

[JuditKnoll]

Since #2877 updates commons-text to 1.11.0, this issue resurfices on the current master, even with having bcel updated to 6.8.2 and commons-lang3 to 3.14.0. There is already an issue about the problem at commons-text's Jira board: https://issues.apache.org/jira/projects/TEXT/issues/TEXT-233