Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Loading application.yml fails with NoSuchMethodError when using SnakeYAML 2.0 #34405

Closed
flashvayne opened this issue Feb 28, 2023 · 68 comments
Closed

Loading application.yml fails with NoSuchMethodError when using SnakeYAML 2.0 #34405

flashvayne opened this issue Feb 28, 2023 · 68 comments
Assignees
@wilkinsona
Labels
type: bug A general bug
Milestone
2.7.10

Comments

@flashvayne
Copy link

When I upgrade snakeyaml from 1.33 to 2.0 version, Springboot Application run failed as below.
I have tried springboot 2.7.4 and 3.0.0, neither works.
Also I have tried JDK 8,11 and 17, none works.

  • snakeyaml dependency
<dependency>
    <groupId>org.yaml</groupId>
    <artifactId>snakeyaml</artifactId>
    <version>2.0</version>
</dependency>
  • Error log
11:28:31.187 [main] ERROR org.springframework.boot.SpringApplication - Application run failed
java.lang.NoSuchMethodError: org.yaml.snakeyaml.representer.Representer: method 'void <init>()' not found
    at org.springframework.boot.env.OriginTrackedYamlLoader.createYaml(OriginTrackedYamlLoader.java:76)
    at org.springframework.boot.env.OriginTrackedYamlLoader.createYaml(OriginTrackedYamlLoader.java:71)
    at org.springframework.beans.factory.config.YamlProcessor.process(YamlProcessor.java:164)
    at org.springframework.boot.env.OriginTrackedYamlLoader.load(OriginTrackedYamlLoader.java:84)
    at org.springframework.boot.env.YamlPropertySourceLoader.load(YamlPropertySourceLoader.java:50)
    at org.springframework.boot.context.config.StandardConfigDataLoader.load(StandardConfigDataLoader.java:54)
    at org.springframework.boot.context.config.StandardConfigDataLoader.load(StandardConfigDataLoader.java:36)
    at org.springframework.boot.context.config.ConfigDataLoaders.load(ConfigDataLoaders.java:107)
    at org.springframework.boot.context.config.ConfigDataImporter.load(ConfigDataImporter.java:128)
    at org.springframework.boot.context.config.ConfigDataImporter.resolveAndLoad(ConfigDataImporter.java:86)
    at org.springframework.boot.context.config.ConfigDataEnvironmentContributors.withProcessedImports(ConfigDataEnvironmentContributors.java:116)
    at org.springframework.boot.context.config.ConfigDataEnvironment.processInitial(ConfigDataEnvironment.java:240)
    at org.springframework.boot.context.config.ConfigDataEnvironment.processAndApply(ConfigDataEnvironment.java:227)
    at org.springframework.boot.context.config.ConfigDataEnvironmentPostProcessor.postProcessEnvironment(ConfigDataEnvironmentPostProcessor.java:102)
    at org.springframework.boot.context.config.ConfigDataEnvironmentPostProcessor.postProcessEnvironment(ConfigDataEnvironmentPostProcessor.java:94)
    at org.springframework.boot.env.EnvironmentPostProcessorApplicationListener.onApplicationEnvironmentPreparedEvent(EnvironmentPostProcessorApplicationListener.java:102)
    at org.springframework.boot.env.EnvironmentPostProcessorApplicationListener.onApplicationEvent(EnvironmentPostProcessorApplicationListener.java:87)
    at org.springframework.context.event.SimpleApplicationEventMulticaster.doInvokeListener(SimpleApplicationEventMulticaster.java:176)
    at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:169)
    at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:143)
    at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:131)
    at org.springframework.boot.context.event.EventPublishingRunListener.environmentPrepared(EventPublishingRunListener.java:85)
    at org.springframework.boot.SpringApplicationRunListeners.lambda$environmentPrepared$2(SpringApplicationRunListeners.java:66)
    at java.base/java.util.ArrayList.forEach(ArrayList.java:1541)
    at org.springframework.boot.SpringApplicationRunListeners.doWithListeners(SpringApplicationRunListeners.java:120)
    at org.springframework.boot.SpringApplicationRunListeners.doWithListeners(SpringApplicationRunListeners.java:114)
    at org.springframework.boot.SpringApplicationRunListeners.environmentPrepared(SpringApplicationRunListeners.java:65)
    at org.springframework.boot.SpringApplication.prepareEnvironment(SpringApplication.java:343)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:301)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1317)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1306)
    at cc.vayne.Application.main(Application.java:10)
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Feb 28, 2023
@bclozel bclozel transferred this issue from spring-projects/spring-framework Feb 28, 2023
@wilkinsona
Copy link
Member

As far as we know, the problem above should only occur with Spring Boot 2.7. While not officially supported, the failure above should not occur with SnakeYAML 2.0 and Spring Boot 3.0. Can you please provide a minimal sample that shows a failure with Spring Boot 3.0.3 and SnakeYAML 2.0?

@wilkinsona wilkinsona added the status: waiting-for-feedback We need additional information before we can continue label Feb 28, 2023
@wilkinsona wilkinsona mentioned this issue Feb 28, 2023
Closed
@DRoppelt
Copy link

@wilkinsona would you consider supporting a backport of this change to the 2.7.X line? bf5bd4f#diff-07741e308f54bc7fc66aabb0a1594c1ff8a9785103fb8cdf4c930ad3b44ed2c6

I would submit a PR?

It appears to be both compatible with snakeyaml 1.30 and 2.0

I cannot chime in for reproducing this with spring boot 3.0, we also have this issue with some services that are stuck on 2.7.X (tested with 2.7.9), but would like to upgrade to snakeyaml 2.0 due to the safe defaults it is bringing (not related to spring, but just usage within the app).

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Feb 28, 2023
@wilkinsona wilkinsona added status: waiting-for-feedback We need additional information before we can continue and removed status: feedback-provided Feedback has been provided labels Feb 28, 2023
@flashvayne
Copy link
Author

It seems I made a mistake while test with SnakeYAML 2.0 and Spring Boot 3.0. It actually works with Spring Boot 3.0.
Also would you consider supporting SnakeYAML 2.0 in Spring Boot 2.7.X?

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Feb 28, 2023
@wilkinsona
Copy link
Member

@DRoppelt Yes, that's a change that we're considering: wilkinsona@6aa1ce7. It will require further testing and we'll also have to decide how much support we want to add for SnakeYAML 2.0 in maintenance releases.

@dvag-joerg-winter
Copy link

@wilkinsona Hi !
"... While not officially supported, the failure above should not occur with SnakeYAML 2.0 and Spring Boot 3.0"

Since there is a Secuurity-Alert for snakeyaml (and we'd like to upgrade to snakeyaml 2.0 by including it top-level dependencies to fix the alert), could you elaborate a bit, what Spring's recommendation is in this regard ?

@wilkinsona
Copy link
Member

wilkinsona commented Mar 1, 2023
edited
Loading

I assume it's CVE-2022-1471 that's triggering the alert. It's very likely to be a false positive as Spring Boot itself is not vulnerable due to the way it uses SnakeYAML. Unless you're using SnakeYAML in an unsafe manner and passing untrusted input into it, your application is not vulnerable. There's some more background in #33457.

You have a few options right now:

  1. Exclude SnakeYAML from your application's build and configure it using application.properties files
  2. If you're using Spring Boot 3, you could upgrade to SnakeYAML 2.0 and see if it works for you
  3. Check your own code for usage of SnakeYAML that is unsafe and ensure that it does not process untrusted input before ignoring the alert

The situation with 2 may improve in time, depending on the outcome of the further testing that we want to do as well as possible changes in Spring Framework being tracked by spring-projects/spring-framework#30048.

@zhudaxi
Copy link

zhudaxi commented Mar 1, 2023

@wilkinsona Thanks for providing the options. May I ask the estimated timeline for Spring Boot 2 to pick up SnakeYAML 2.0 ? Thanks.

@philwebb
Copy link
Member

philwebb commented Mar 1, 2023

@zhudaxi We won't be upgrading to SnakeYAML 2.0 in Spring Boot 2.7.x (which is the last planned 2.x release) since it's a major version bump. We will try to make it possible to users to upgrade themselves, but we don't have an estimate for when that will happen.

@AkashMukhopadhyay25

This comment was marked as off-topic.

Sign in to view
@wilkinsona

This comment was marked as resolved.

Sign in to view
julianladisch added a commit to folio-org/mod-consortia that referenced this issue Mar 3, 2023
@julianladisch
FOLIO-3734: snakeyaml 2.0
9c87a48 
Upgrade snakeyaml from 1.33 to 2.0 fixing Arbitrary Code Execution: https://nvd.nist.gov/vuln/detail/CVE-2022-1471

Spring Boot >= 3.0.3 is compatible with snakeyaml 2.x: spring-projects/spring-boot#34405
@julianladisch julianladisch mentioned this issue Mar 3, 2023
Merged
@wilkinsona wilkinsona added the for: team-meeting An issue we'd like to discuss as a team to make progress label Mar 6, 2023
@sourabhsparkala
Copy link

Hello All,

From the above discussion, it is still unclear if SnakeYaml 2.0 is compatible with Spring Boot 3.0.x or not. Could someone clarify?

Thanks
Sourabh

@sportymsk
Copy link

  • Exclude SnakeYAML from your application's build and configure it using application.properties files

@wilkinsona, can you elaborate option 1 provided here bit more?

@wilkinsona
Copy link
Member

wilkinsona commented Mar 6, 2023
edited
Loading

From the above discussion, it is still unclear if SnakeYaml 2.0 is compatible with Spring Boot 3.0.x or not. Could someone clarify?

@flashvayne has tried it and it worked for them:

It seems I made a mistake while test with SnakeYAML 2.0 and Spring Boot 3.0. It actually works with Spring Boot 3.0.

You are encouraged to do the same experiment:

If you're using Spring Boot 3, you could upgrade to SnakeYAML 2.0 and see if it works for you

However, you should note that SnakeYAML 2.0 is not yet officially supported with any version of Spring Boot but this may change in the future, as already stated above:

The situation with […] may improve in time, depending on the outcome of the further testing that we want to do as well as possible changes in Spring Framework being tracked by spring-projects/spring-framework#30048.

We have not yet done all of that testing. This issue will be used to communicate its outcome.

@wilkinsona
Copy link
Member

wilkinsona commented Mar 6, 2023
edited
Loading

Exclude SnakeYAML from your application's build and configure it using application.properties files

@wilkinsona, can you elaborate option 1 provided here bit more?

@sportymsk, Spring Boot doesn't require Snake YAML. It's only used if you choose to configure your application using YAML files rather than properties files. It's a dependency of spring-boot-starter purely for convenience and it you don't use YAML configuration files it can be excluded using the appropriate configuration in your build.gradle or pom.xml file.

@asomov
Copy link
Contributor

asomov commented Mar 7, 2023

@wilkinsona feel free to ping me if you need any help with SnakeYAML for Spring Boot 3
By the way, I fully support your proposals here. (this false positive CVE-2022-1471 drives me crazy - we have lost so much time for nothing)

@joschi joschi mentioned this issue Mar 7, 2023
Closed
@jliu1970
Copy link

jliu1970 commented Mar 7, 2023
edited by wilkinsona
Loading

We recently also ran into Springboot 2.7.7 and 2.7.8 issue with snakeyaml 1.33:

java.lang.NoSuchMethodError: org.yaml.snakeyaml.representer.Representer: method 'void <init>()' not found
        at org.springframework.boot.env.OriginTrackedYamlLoader.createYaml(OriginTrackedYamlLoader.java:80) ~[spring-boot-2.7.7.jar!/:2.7.7]
        at org.springframework.boot.env.OriginTrackedYamlLoader.createYaml(OriginTrackedYamlLoader.java:75) ~[spring-boot-2.7.7.jar!/:2.7.7]
        at org.springframework.beans.factory.config.YamlProcessor.process(YamlProcessor.java:164) ~[spring-beans-5.3.24.jar!/:5.3.24]
        at org.springframework.boot.env.OriginTrackedYamlLoader.load(OriginTrackedYamlLoader.java:88) ~[spring-boot-2.7.7.jar!/:2.7.7]
        at org.springframework.boot.env.YamlPropertySourceLoader.load(YamlPropertySourceLoader.java:50) ~[spring-boot-2.7.7.jar!/:2.7.7]
        at com.microsoft.azure.spring.autoconfigure.aad.YamlFileApplicationContextInitializer.yamlPropertySourceLoad(YamlFileApplicationContextInitializer.java:34) ~[azure-spring-boot-2.0.8.jar!/:?]
        at com.microsoft.azure.spring.autoconfigure.aad.YamlFileApplicationContextInitializer.initialize(YamlFileApplicationContextInitializer.java:48) ~[azure-spring-boot-2.0.8.jar!/:?]
        at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:604) ~[spring-boot-2.7.7.jar!/:2.7.7]
        at org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:373) ~[spring-boot-2.7.7.jar!/:2.7.7]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:306) ~[spring-boot-2.7.7.jar!/:2.7.7]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1303) ~[spring-boot-2.7.7.jar!/:2.7.7]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1292) ~[spring-boot-2.7.7.jar!/:2.7.7]
        at com.msi.location.servicecentralsim.ServiceCentralSimApplication.main(ServiceCentralSimApplication.java:11) ~[classes!/:0.0.1-SNAPSHOT]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49) ~[app.jar:0.0.1-SNAPSHOT]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:108) ~[app.jar:0.0.1-SNAPSHOT]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:58) ~[app.jar:0.0.1-SNAPSHOT]
        at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:65) ~[app.jar:0.0.1-SNAPSHOT]

@asomov
Copy link
Contributor

asomov commented May 2, 2023
edited
Loading

@sheetalj2205 feel free to report a bug in JFrog Xray. They create a false positive.

@wilkinsona
Copy link
Member

Unfortunately, security scans cannot be taken at face value and they often report many false positives. For each vulnerability that a scan identifies, you will have to identify whether or not your application is actually affected. If it isn't, you may want to configure the scanner so that the false positive is ignored in the future. If your application is affected, you will then have to determine how to address the problem. That could be changing a configuration setting or updating a dependency for example.

@davidangb davidangb mentioned this issue May 7, 2023
Merged
@kpavan3697
Copy link

kpavan3697 commented May 11, 2023
edited by philwebb
Loading

I am facing NoSuchMethod error after upgrading spring to 2.7.11 and snakeyaml to 2.0.

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'dataServiceConfigurationManager': Invocation of init method failed; nested exception is java.lang.NoSuchMethodError: 'void org.yaml.snakeyaml.parser.ParserImpl.<init>(org.yaml.snakeyaml.reader.StreamReader)'
Caused by: java.lang.NoSuchMethodError: 'void org.yaml.snakeyaml.parser.ParserImpl.<init>(org.yaml.snakeyaml.reader.StreamReader)'

@wilkinsona
Copy link
Member

@kpavan3697 That doesn't look to be related to loading application.yml which is the subject of this issue. Your problem appears to be the creation of a dataServiceConfigurationManager bean. It, or something upon which it depends, appears to be using SnakeYAML in a way that isn't compatible with 2.0. The complete stack trace of the NoSuchMethodError should identify the code that needs to be updated.

@kpavan3697
Copy link

kpavan3697 commented May 11, 2023
edited by scottfrederick
Loading

@wilkinsona Please find the stack trace below for the error

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'dataServiceConfigurationManager': Invocation of init method failed; nested exception is java.lang.NoSuchMethodError: 'void org.yaml.snakeyaml.parser.ParserImpl.(org.yaml.snakeyaml.reader.StreamReader)'
at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:160) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanFactory.java:440) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1796) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:620) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:542) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:335) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:333) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:208) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:955) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:920) ~[spring-context-5.3.27.jar:5.3.27]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:583) ~[spring-context-5.3.27.jar:5.3.27]
at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:399) ~[spring-web-5.3.27.jar:5.3.27]
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:278) ~[spring-web-5.3.27.jar:5.3.27]
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:103) ~[spring-web-5.3.27.jar:5.3.27]
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4768) ~[catalina.jar:9.0.50]
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5230) ~[catalina.jar:9.0.50]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) ~[catalina.jar:9.0.50]
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:728) ~[catalina.jar:9.0.50]
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:700) ~[catalina.jar:9.0.50]
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:696) ~[catalina.jar:9.0.50]
at org.apache.catalina.startup.HostConfig.manageApp(HostConfig.java:1783) ~[catalina.jar:9.0.50]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at org.apache.tomcat.util.modeler.BaseModelMBean.invoke(BaseModelMBean.java:293) ~[tomcat-coyote.jar:9.0.50]
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:809) ~[?:?]
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:801) ~[?:?]
at org.apache.catalina.mbeans.MBeanFactory.createStandardContext(MBeanFactory.java:460) ~[catalina.jar:9.0.50]
at org.apache.catalina.mbeans.MBeanFactory.createStandardContext(MBeanFactory.java:408) ~[catalina.jar:9.0.50]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at org.apache.tomcat.util.modeler.BaseModelMBean.invoke(BaseModelMBean.java:293) ~[tomcat-coyote.jar:9.0.50]
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:809) ~[?:?]
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:801) ~[?:?]
at com.sun.jmx.remote.security.MBeanServerAccessController.invoke(MBeanServerAccessController.java:468) ~[?:?]
at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1466) ~[?:?]
at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1307) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1406) ~[?:?]
at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:827) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:359) ~[?:?]
at sun.rmi.transport.Transport$1.run(Transport.java:200) ~[?:?]
at sun.rmi.transport.Transport$1.run(Transport.java:197) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
at sun.rmi.transport.Transport.serviceCall(Transport.java:196) ~[?:?]
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:562) ~[?:?]
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:796) ~[?:?]
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:677) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:676) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
at java.lang.Thread.run(Thread.java:829) ~[?:?]
Caused by: java.lang.NoSuchMethodError: 'void org.yaml.snakeyaml.parser.ParserImpl.(org.yaml.snakeyaml.reader.StreamReader)'
at com.fasterxml.jackson.dataformat.yaml.YAMLParser.(YAMLParser.java:178) ~[jackson-dataformat-yaml-2.13.5.jar:2.13.5]
at com.fasterxml.jackson.dataformat.yaml.YAMLFactory._createParser(YAMLFactory.java:466) ~[jackson-dataformat-yaml-2.13.5.jar:2.13.5]
at com.fasterxml.jackson.dataformat.yaml.YAMLFactory.createParser(YAMLFactory.java:368) ~[jackson-dataformat-yaml-2.13.5.jar:2.13.5]
at com.fasterxml.jackson.dataformat.yaml.YAMLFactory.createParser(YAMLFactory.java:15) ~[jackson-dataformat-yaml-2.13.5.jar:2.13.5]
at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3666) ~[jackson-databind-2.13.5.jar:2.13.5]
at com.xyz.dataplatform.configuration.DataServiceConfigurationManager.loadConfigurationFiles(DataServiceConfigurationManager.java:155) ~[data-service-retrieval-2.23.jar:2.23]
at com.xyz.dataplatform.configuration.DataServiceConfigurationManager.init(DataServiceConfigurationManager.java:117) ~[data-service-retrieval-2.23.jar:2.23]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleElement.invoke(InitDestroyAnnotationBeanPostProcessor.java:389) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMetadata.invokeInitMethods(InitDestroyAnnotationBeanPostProcessor.java:333) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:157) ~[spring-beans-5.3.27.jar:5.3.27]
... 60 more

@scottfrederick
Copy link
Contributor

@kpavan3697 The error says Error creating bean with name 'dataServiceConfigurationManager'. This dataServiceConfigurationManager bean is not part of Spring Boot so there's nothing we can do to help you. If this bean is in your application, then you will need to change your code in a way that is compatible with SnakeYaml 2.0. If this bean is in a library you are using in your application, you will need to contact the vendor of that library.

@DRoppelt
Copy link

DRoppelt commented May 11, 2023
edited
Loading

Caused by: java.lang.NoSuchMethodError: 'void org.yaml.snakeyaml.parser.ParserImpl.(org.yaml.snakeyaml.reader.StreamReader)'
at com.fasterxml.jackson.dataformat.yaml.YAMLParser.(YAMLParser.java:178) ~[jackson-dataformat-yaml-2.13.5.jar:2.13.5]

there you go, jackson-dataformat-yaml, which you could try to change to a more recent version via jackson-bom.version property. 3.0.6 is on 2.14.2 as a reference.

From what it looks like, their repo is here https:/FasterXML/jackson-dataformats-text
I dug into the history and it appears that they have fixed it with 2.14 https:/FasterXML/jackson-dataformats-text/pull/371/files

Maybe they would accept a backport to 2.13, from my understanding that should be compatible in their 2.13 line

e: judging by the context within the PR, if you can adjust the caller to inject a non-null loaderOptions, the deprecated method should also not be called, therefore preventing NoSuchMethodError

This was referenced May 12, 2023
Closed
Closed
@timmussack
Copy link

Upgrading Jackson to v 2.15.0 seems to fix this error when using SB 2.7.11 and snakeYAML 2.0.

darkmastermindz added a commit to darkmastermindz/zipkin that referenced this issue May 19, 2023
@darkmastermindz
Resolve CVE-2022-1471: Bump Jackson and Spring Boot in pom.xml
d8ad906 
Ref: 
- spring-projects/spring-boot#34405 (comment)
- https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.7/html/migrating_applications_to_spring_boot_2.7/migrating-spring-boot-2-5-applications-to-the-spring-boot-version-spring-boot_spring-boot
@nidhi-nair nidhi-nair mentioned this issue May 22, 2023
Merged
llinder added a commit to openzipkin/zipkin that referenced this issue May 30, 2023
@darkmastermindz @llinder
Resolve CVE-2022-1471: Securing the Vulnerability with SnakeYAML 2.0 …
d0dc3d6 
…and Spring Boot 2.7.10 (#3538)

* Update pom.xml

Bump snakeyml to 2.0 to resolve CVE-2022-1471

* Resolve CVE-2022-1471: Bump Jackson and Spring Boot in pom.xml

Ref: 
- spring-projects/spring-boot#34405 (comment)
- https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.7/html/migrating_applications_to_spring_boot_2.7/migrating-spring-boot-2-5-applications-to-the-spring-boot-version-spring-boot_spring-boot

* Update pom.xml to Spring Boot 2.7.10

Reference: http:/spring-projects/spring-boot/issues/34405

2.7.10 supports SnakeYML 2.0

* Fix prometheus integration check

Prometheus integration check was matching on prometheus in the
application name. Since the test included prometheus in the package
it was failing. This change matches on the URI prefix instead of
just the name.

---------

Co-authored-by: Lance Linder <[email protected]>
@rdesgroppes rdesgroppes mentioned this issue Jun 6, 2023
Merged
nidhi-nair added a commit to appsmithorg/appsmith that referenced this issue Jun 8, 2023
@nidhi-nair @mohanarpit @sharat87
chore: Upgraded Snake YAML version to 2.0 (#23572)
6e7c293 
## Description
Upgrades SnakeYaml dependency version forcefully to 2.0 to overcome
[this
issue](spring-projects/spring-boot#33457), as
advised
[here](spring-projects/spring-boot#34405 (comment)).

This version tag can be reverted when we upgrade to Spring 6.1, which is
when the library
[aims](spring-projects/spring-framework#30048 (comment))
to upgrade the version themselves.

Fixes appsmithorg/appsmith-ee#1233

#### Type of change
- Chore (housekeeping or task changes that don't impact user perception)

## Testing
This PR will be tested during regression.

---------

Co-authored-by: Arpit Mohan <[email protected]>
Co-authored-by: Shrikant Sharat Kandula <[email protected]>
@orchestr7
Copy link

orchestr7 commented Jun 27, 2023
edited
Loading

@wilkinsona sorry for bothering again with this infinite issue, but I also have the same problem with the following dependencies. May be you have seen it already and know the reason? 🙏

+--- org.springframework.boot:spring-boot-dependencies:2.7.12
+--- org.yaml:snakeyaml:2.0
+--- com.fasterxml.jackson.core:jackson-core:2.13.5 -> 2.14.2 (c) (this version comes with SB 2.7.*)

Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [io.kubernetes.client.openapi.ApiClient]: Factory method 'defaultApiClient' threw exception; nested exception is java.lang.NoSuchMethodError: org.yaml.snakeyaml.constructor.SafeConstructor: method 'void <init>()' not found

Do you have any ideas on the reason? My be you have faced it already? 🙏

Very small spring boot service: https:/saveourtool/save-cloud/tree/master/api-gateway :

./gradlew apiGateway:bootRun

problem comes from spring-cloud which uses old io.kubernetes:client-java, that is in conflict with latest snakeyaml:

+--- org.springframework.cloud:spring-cloud-starter-kubernetes-client-config:2.1.7
|    +--- org.springframework.cloud:spring-cloud-kubernetes-commons:2.1.7
|    |    +--- org.springframework.boot:spring-boot-autoconfigure:2.6.14 -> 2.7.12 (*)
|    |    +--- org.springframework.cloud:spring-cloud-commons:3.1.6 (*)
|    |    +--- org.springframework.cloud:spring-cloud-context:3.1.6 (*)
|    |    \--- javax.annotation:javax.annotation-api:1.3.2
|    +--- org.springframework.cloud:spring-cloud-kubernetes-client-autoconfig:2.1.7
|    |    +--- org.springframework.cloud:spring-cloud-kubernetes-commons:2.1.7 (*)
**|    |    +--- io.kubernetes:client-java:13.0.2**

@wilkinsona
Copy link
Member

It looks like io.kubernetes.client.openapi.ApiClient or something that it references isn't compatible with SnakeYAML 2.0. The complete stack trace will show you exactly where the incompatibility lies.

If you have any further questions, please follow up on Stack Overflow. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements.

@markus-winkler
Copy link

downgrade your jackson implementation for parsing YAML and this should solve this issue. I had the same one.

@JoergSiebahn JoergSiebahn mentioned this issue Aug 3, 2023
Merged
@dongguo4812 dongguo4812 mentioned this issue Aug 27, 2023
Closed
@mareknovotny mareknovotny mentioned this issue Aug 31, 2023
Closed
3 tasks
@qingwli qingwli mentioned this issue Sep 8, 2023
Closed
@hridya97

This comment was marked as resolved.

Sign in to view
@bclozel

This comment was marked as outdated.

Sign in to view
@jmewes jmewes mentioned this issue Jan 21, 2024
Open
@aloneCR aloneCR mentioned this issue Jan 25, 2024
Closed
@TherChenYang TherChenYang mentioned this issue Feb 28, 2024
Closed
@chamikaramj chamikaramj mentioned this issue May 22, 2024
Closed
15 tasks
@slankka slankka mentioned this issue Aug 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wilkinsona wilkinsona

Labels
type: bug A general bug
Projects
None yet
Milestone
2.7.10
Development

No branches or pull requests