Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NullPointerException when Maven-style exclusions are enabled and a dependency has a pom which Maven's Model Builder considers to be invalid #365

Closed
bratkartoffel opened this issue Jul 17, 2023 · 3 comments
Closed

NullPointerException when Maven-style exclusions are enabled and a dependency has a pom which Maven's Model Builder considers to be invalid #365

bratkartoffel opened this issue Jul 17, 2023 · 3 comments
Labels
type: bug
Milestone
1.1.3

Comments

@bratkartoffel
Copy link

Hi,

after upgrading the plugin to the latest released version, 1.1.0 to 1.1.1, the build fails due to a NPE:
Buildscan available at: https://scans.gradle.com/s/6ygpyymluwloq

Caused by: java.lang.NullPointerException: Cannot invoke "io.spring.gradle.dependencymanagement.org.apache.maven.model.Model.getGroupId()" because "effectiveModel" is null
at io.spring.gradle.dependencymanagement.internal.maven.MavenPomResolver.createPoms(MavenPomResolver.java:136)	
at io.spring.gradle.dependencymanagement.internal.maven.MavenPomResolver.createPoms(MavenPomResolver.java:129)	
at io.spring.gradle.dependencymanagement.internal.maven.MavenPomResolver.resolvePomsLeniently(MavenPomResolver.java:79)	
at io.spring.gradle.dependencymanagement.internal.ExclusionResolver.resolveExclusions(ExclusionResolver.java:75)	
at io.spring.gradle.dependencymanagement.internal.ExclusionConfiguringAction.findExcludedDependencies(ExclusionConfiguringAction.java:121)	
at io.spring.gradle.dependencymanagement.internal.ExclusionConfiguringAction.applyMavenExclusions(ExclusionConfiguringAction.java:92)	
at io.spring.gradle.dependencymanagement.internal.ExclusionConfiguringAction.execute(ExclusionConfiguringAction.java:87)	
at io.spring.gradle.dependencymanagement.internal.ExclusionConfiguringAction.execute(ExclusionConfiguringAction.java:56)	
at org.gradle.configuration.internal.DefaultUserCodeApplicationContext$CurrentApplication$1.execute(DefaultUserCodeApplicationContext.java:123)	
at org.gradle.internal.event.BroadcastDispatch$ActionvocationHandler.dispatch(BroadcastDispatch.java:97)	
at org.gradle.internal.event.BroadcastDispatch$ActionvocationHandler.dispatch(BroadcastDispatch.java:85)	
at org.gradle.internal.event.AbstractBroadcastDispatch.dispatch(AbstractBroadcastDispatch.java:43)	
at org.gradle.internal.event.BroadcastDispatch$SingletonDispatch.dispatch(BroadcastDispatch.java:257)	
at org.gradle.internal.event.BroadcastDispatch$SingletonDispatch.dispatch(BroadcastDispatch.java:164)	
at org.gradle.internal.event.AbstractBroadcastDispatch.dispatch(AbstractBroadcastDispatch.java:83)	
at org.gradle.internal.event.AbstractBroadcastDispatch.dispatch(AbstractBroadcastDispatch.java:69)	
at org.gradle.internal.event.BroadcastDispatch$CompositeDispatch.dispatch(BroadcastDispatch.java:363)	
at org.gradle.internal.event.BroadcastDispatch$CompositeDispatch.dispatch(BroadcastDispatch.java:261)	
at org.gradle.internal.event.ListenerBroadcast.dispatch(ListenerBroadcast.java:148)	
at org.gradle.internal.event.ListenerBroadcast.dispatch(ListenerBroadcast.java:37)	
at org.gradle.internal.dispatch.ProxyDispatchAdapter$DispatchingevocationHandler.invoke(ProxyDispatchAdapter.java:94)	
[...]

The repository with the sources is private, but I can give a maintainer access to it for analyzing.

Thanks,
bk
@wilkinsona
Copy link
Contributor

wilkinsona commented Jul 17, 2023
edited
Loading

Thanks for the report. Looking at the build scan, I can see that the plugin's support for Maven-style exclusions encounters a problem when processing the pom for eu.fraho.spring:security-jwt-base-spring-boot-starter:5.0.5. It can be reproduced with the following build script:

plugins {
	id "java"
	id "io.spring.dependency-management" version "1.1.2"
}

repositories {
	mavenCentral()
}

dependencies {
	implementation("eu.fraho.spring:security-jwt-base-spring-boot-starter:5.0.5")
}

Running with --debug shows the problem:

[FATAL] 'dependencies.dependency[eu.fraho.spring:security-jwt-base-spring-boot-starter:5.0.5]' for eu.fraho.spring:security-jwt-base-spring-boot-starter:5.0.5 is referencing itself. @ 

        at io.spring.gradle.dependencymanagement.org.apache.maven.model.building.DefaultModelProblemCollector.newModelBuildingException(DefaultModelProblemCollector.java:197)
        at io.spring.gradle.dependencymanagement.org.apache.maven.model.building.DefaultModelBuilder.readModel(DefaultModelBuilder.java:697)
        at io.spring.gradle.dependencymanagement.org.apache.maven.model.building.DefaultModelBuilder.build(DefaultModelBuilder.java:303)
        at io.spring.gradle.dependencymanagement.org.apache.maven.model.building.DefaultModelBuilder.build(DefaultModelBuilder.java:267)
        at io.spring.gradle.dependencymanagement.internal.maven.EffectiveModelBuilder.buildModel(EffectiveModelBuilder.java:72)
        at io.spring.gradle.dependencymanagement.internal.maven.EffectiveModelBuilder.buildModels(EffectiveModelBuilder.java:60)
        at io.spring.gradle.dependencymanagement.internal.maven.MavenPomResolver.createPoms(MavenPomResolver.java:133)
        at io.spring.gradle.dependencymanagement.internal.maven.MavenPomResolver.createPoms(MavenPomResolver.java:129)
        at io.spring.gradle.dependencymanagement.internal.maven.MavenPomResolver.resolvePomsLeniently(MavenPomResolver.java:79)
        at io.spring.gradle.dependencymanagement.internal.ExclusionResolver.resolveExclusions(ExclusionResolver.java:75)
        at io.spring.gradle.dependencymanagement.internal.ExclusionConfiguringAction.findExcludedDependencies(ExclusionConfiguringAction.java:123)
        at io.spring.gradle.dependencymanagement.internal.ExclusionConfiguringAction.applyMavenExclusions(ExclusionConfiguringAction.java:92)
        at io.spring.gradle.dependencymanagement.internal.ExclusionConfiguringAction.execute(ExclusionConfiguringAction.java:87)
        at io.spring.gradle.dependencymanagement.internal.ExclusionConfiguringAction.execute(ExclusionConfiguringAction.java:56)
        …

There's a similar problem with eu.fraho.spring:security-jwt-base:5.0.5 as its pom also references itself.

I suspect that this is now causing a failure due to an upgrade of the version of Maven's model builder that the dependency management plugin embeds. This upgrade was done to fix #350 and picked up the changes for MNG-6123.

Please report the invalid poms to the maintainers of eu.fraho.spring:security-jwt-base and eu.fraho.spring:security-jwt-base-spring-boot-starter.

You can work around the failure that the invalid pom is now causing in the dependency management plugin by disabling Maven-style exclusions:

dependencyManagement {
	applyMavenExclusions = false
}

I'll take a look at tolerating self-referential poms that Maven's model builder considers to be invalid.

@wilkinsona wilkinsona changed the title Cannot invoke "io.spring.gradle.dependencymanagement.org.apache.maven.model.Model.getGroupId()" because "effectiveModel" is null NullPointerException when Maven-style exclusions are enabled and a dependency has a self-referential pom which Maven's Resolver considers to be invalid Jul 17, 2023
@bratkartoffel
Copy link
Author

bratkartoffel commented Jul 17, 2023
edited
Loading

Thank you very much for analyizing this. I'm the maintainer of the mentioned artifact and I have no idea how / when the pom became invalid and why I didn't notice it earlier.

// edit: ok, it broke with 4.3.0 (bratkartoffel/security-jwt@4.2.0...4.3.0). After digging in and analyzing the pom it seems, that the 'java-test-fixtures' plugin is causing the problem. As soon as I enable that plugin, the pom-file contains a self-reference.

// edit-2: seems like I'm not the only one with that issue: https://stackoverflow.com/q/69877418

// edit-3: I've found a workaround to remove the self referential dependencies when using the testFixtures: bratkartoffel/security-jwt@48a7e84

@jamesdh
Copy link

jamesdh commented Jul 17, 2023
edited
Loading

We're also experiencing issues w/ the update from 1.1.1/1.1.2 (1.1.0 works fine). Initially it gives the same error @bratkartoffel got above, e.g.

Cannot invoke "io.spring.gradle.dependencymanagement.org.apache.maven.model.Model.getGroupId()" because "effectiveModel" is null

But with --debug, we get the following:

io.spring.gradle.dependencymanagement.org.apache.maven.model.building.ModelBuildingException: 1 problem was encountered while building the effective model for org.eclipse.platform:org.eclipse.core.contenttype:3.8.200
[FATAL] 'modelVersion' of '4.0' is newer than the versions supported by this version of Maven: [4.0.0]. Building this project requires a newer version of Maven. @

        at io.spring.gradle.dependencymanagement.org.apache.maven.model.building.DefaultModelProblemCollector.newModelBuildingException(DefaultModelProblemCollector.java:197)

EDIT: Related to eclipse-platform/eclipse.platform#180

@wilkinsona wilkinsona changed the title NullPointerException when Maven-style exclusions are enabled and a dependency has a self-referential pom which Maven's Resolver considers to be invalid NullPointerException when Maven-style exclusions are enabled and a dependency has a self-referential pom which Maven's Model Builder considers to be invalid Jul 17, 2023
@jamesdh jamesdh mentioned this issue Jul 17, 2023
Open
@wilkinsona wilkinsona changed the title NullPointerException when Maven-style exclusions are enabled and a dependency has a self-referential pom which Maven's Model Builder considers to be invalid NullPointerException when Maven-style exclusions are enabled and a dependency has a pom which Maven's Model Builder considers to be invalid Jul 17, 2023
@Lucas3oo Lucas3oo mentioned this issue Jul 19, 2023
Closed
candrews added a commit to candrews/jumpstart that referenced this issue Jul 27, 2023
@candrews
Disable maven exclusions for Spring Dependency Management Plugin
6a0cba1 
Starting with Spring Dependency Management Plugin version 1.1.0, invalid
POMs cause the plugin to fail. Unfortunately, Sonar has dependencies
that have invalid POMs, and it doesn't appear that Sonar is going to
change to use dependencies with valid POMs any time soon.

Therefore, in order to continuing using the name.remal.sonarlint plugin,
there are only two options:
1. Downgrade Sonar to a version that has dependencies all with valid
  POMs. That could be done by adding a dependency on:
  `sonarlintCorePlugins("org.sonarsource.java:sonar-java-plugin:7.18.0.31443")`
  However, it's not ideal to be stuck on an old version for an
  indeterminate amount of time.
2. Disable Spring Dependency Management Plugin's new maven exclusion
   semantics. There doesn't appear to be a downside for this project in
   doing so.

See: spring-gradle-plugins/dependency-management-plugin#365
See: https://community.sonarsource.com/t/sonar-java-plugin-has-dependencies-with-invalid-poms/96334/6
candrews added a commit to candrews/jumpstart that referenced this issue Jul 27, 2023
@candrews
Disable maven exclusion semantics in Spring Dependency Management Plugin
332845c 
Starting with Spring Dependency Management Plugin version 1.1.0, invalid
POMs cause the plugin to fail. Unfortunately, Sonar has dependencies
that have invalid POMs, and it doesn't appear that Sonar is going to
change to use dependencies with valid POMs any time soon.

Therefore, in order to continuing using the name.remal.sonarlint plugin,
there are only two options:
1. Downgrade Sonar to a version that has dependencies all with valid
  POMs. That could be done by adding a dependency on:
  `sonarlintCorePlugins("org.sonarsource.java:sonar-java-plugin:7.18.0.31443")`
  However, it's not ideal to be stuck on an old version for an
  indeterminate amount of time.
2. Disable Spring Dependency Management Plugin's new maven exclusion
   semantics. There doesn't appear to be a downside for this project in
   doing so.

See: spring-gradle-plugins/dependency-management-plugin#365
See: https://community.sonarsource.com/t/sonar-java-plugin-has-dependencies-with-invalid-poms/96334/6
@candrews candrews mentioned this issue Jul 27, 2023
Merged
candrews added a commit to candrews/jumpstart that referenced this issue Jul 27, 2023
@candrews
Disable maven exclusion semantics in Spring Dependency Management Plugin
6f1e832 
Starting with Spring Dependency Management Plugin version 1.1.0, invalid
POMs cause the plugin to fail. Unfortunately, Sonar has dependencies
that have invalid POMs, and it doesn't appear that Sonar is going to
change to use dependencies with valid POMs any time soon.

Therefore, in order to continuing using the name.remal.sonarlint plugin,
there are only two options:
1. Downgrade Sonar to a version that has dependencies all with valid
  POMs. That could be done by adding a dependency on:
  `sonarlintCorePlugins("org.sonarsource.java:sonar-java-plugin:7.18.0.31443")`
  However, it's not ideal to be stuck on an old version for an
  indeterminate amount of time.
2. Disable Spring Dependency Management Plugin's new maven exclusion
   semantics. There doesn't appear to be a downside for this project in
   doing so.

See: spring-gradle-plugins/dependency-management-plugin#365
See: https://community.sonarsource.com/t/sonar-java-plugin-has-dependencies-with-invalid-poms/96334/6
candrews added a commit to candrews/jumpstart that referenced this issue Jul 27, 2023
@candrews
Disable maven exclusion semantics in Spring Dependency Management Plugin
4ab1069 
Starting with Spring Dependency Management Plugin version 1.1.0, invalid
POMs cause the plugin to fail. Unfortunately, Sonar has dependencies
that have invalid POMs, and it doesn't appear that Sonar is going to
change to use dependencies with valid POMs any time soon.

Therefore, in order to continuing using the name.remal.sonarlint plugin,
there are only two options:
1. Downgrade Sonar to a version that has dependencies all with valid
  POMs. That could be done by adding a dependency on:
  `sonarlintCorePlugins("org.sonarsource.java:sonar-java-plugin:7.18.0.31443")`
  However, it's not ideal to be stuck on an old version for an
  indeterminate amount of time.
2. Disable Spring Dependency Management Plugin's new maven exclusion
   semantics. There doesn't appear to be a downside for this project in
   doing so.

See: spring-gradle-plugins/dependency-management-plugin#365
See: https://community.sonarsource.com/t/sonar-java-plugin-has-dependencies-with-invalid-poms/96334/6
candrews added a commit to candrews/jumpstart that referenced this issue Jul 27, 2023
@candrews
Disable maven exclusion semantics in Spring Dependency Management Plugin
4e21cef 
Starting with Spring Dependency Management Plugin version 1.1.0, invalid
POMs cause the plugin to fail. Unfortunately, Sonar has dependencies
that have invalid POMs, and it doesn't appear that Sonar is going to
change to use dependencies with valid POMs any time soon.

Therefore, in order to continuing using the name.remal.sonarlint plugin,
there are only two options:
1. Downgrade Sonar to a version that has dependencies all with valid
  POMs. That could be done by adding a dependency on:
  `sonarlintCorePlugins("org.sonarsource.java:sonar-java-plugin:7.18.0.31443")`
  However, it's not ideal to be stuck on an old version for an
  indeterminate amount of time.
2. Disable Spring Dependency Management Plugin's new maven exclusion
   semantics. There doesn't appear to be a downside for this project in
   doing so.

See: spring-gradle-plugins/dependency-management-plugin#365
See: https://community.sonarsource.com/t/sonar-java-plugin-has-dependencies-with-invalid-poms/96334/6
@jochenberger jochenberger mentioned this issue Jul 31, 2023
Open
candrews added a commit to candrews/jumpstart that referenced this issue Aug 8, 2023
@candrews
Remove spring dependency management workaround
1f78142 
Remove workaround as the name.remal.sonarlint plugin now works around the issue

See: spring-gradle-plugins/dependency-management-plugin#365
@candrews candrews mentioned this issue Aug 8, 2023
Merged
@wilkinsona wilkinsona added this to the 1.1.3 milestone Aug 10, 2023
candrews added a commit to candrews/jumpstart that referenced this issue Aug 21, 2023
@candrews
Remove spring dependency management workaround
7e389a1 
io.spring.dependency-management:1.1.3 fixes this issue.

See: spring-gradle-plugins/dependency-management-plugin#365
candrews added a commit to candrews/jumpstart that referenced this issue Aug 21, 2023
@candrews
Remove spring dependency management workaround
3336548 
io.spring.dependency-management:1.1.3 fixes this issue.

See: spring-gradle-plugins/dependency-management-plugin#365
candrews added a commit to candrews/jumpstart that referenced this issue Aug 21, 2023
@candrews
Remove spring dependency management workaround
d744021 
io.spring.dependency-management:1.1.3 fixes this issue.

See: spring-gradle-plugins/dependency-management-plugin#365
candrews added a commit to candrews/jumpstart that referenced this issue Aug 21, 2023
@candrews
Remove spring dependency management workaround
e1d2f77 
io.spring.dependency-management:1.1.3 fixes this issue.

See: spring-gradle-plugins/dependency-management-plugin#365
@Nashatyrev Nashatyrev mentioned this issue Aug 23, 2023
Closed
Devhunter416 pushed a commit to Devhunter416/jumpstart that referenced this issue Mar 6, 2024
@albertkingLT
Disable maven exclusion semantics in Spring Dependency Management Plugin
4a113d8 
Starting with Spring Dependency Management Plugin version 1.1.0, invalid
POMs cause the plugin to fail. Unfortunately, Sonar has dependencies
that have invalid POMs, and it doesn't appear that Sonar is going to
change to use dependencies with valid POMs any time soon.

Therefore, in order to continuing using the name.remal.sonarlint plugin,
there are only two options:
1. Downgrade Sonar to a version that has dependencies all with valid
  POMs. That could be done by adding a dependency on:
  `sonarlintCorePlugins("org.sonarsource.java:sonar-java-plugin:7.18.0.31443")`
  However, it's not ideal to be stuck on an old version for an
  indeterminate amount of time.
2. Disable Spring Dependency Management Plugin's new maven exclusion
   semantics. There doesn't appear to be a downside for this project in
   doing so.

See: spring-gradle-plugins/dependency-management-plugin#365
See: https://community.sonarsource.com/t/sonar-java-plugin-has-dependencies-with-invalid-poms/96334/6
Devhunter416 pushed a commit to Devhunter416/jumpstart that referenced this issue Mar 6, 2024
@albertkingLT
Remove spring dependency management workaround
1a2796c 
io.spring.dependency-management:1.1.3 fixes this issue.

See: spring-gradle-plugins/dependency-management-plugin#365
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug
Projects
None yet
Milestone
1.1.3
Development

No branches or pull requests
4 participants
@wilkinsona @jamesdh @bratkartoffel @spring-projects-issues