Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency Conflict: duplicate classes "org.objectweb.asm.Type.getObjectType" in different JARs, have different implementations #14

Open
HelloCoCooo opened this issue Feb 14, 2020 · 2 comments

Comments

@HelloCoCooo
Copy link

Hi, in burp-vulners-scanner-1.2, duplicate classes with the same fully-qualified name org.objectweb.asm.Type.getObjectType are included in two different libraries, i.e., org.ow2.asm:asm:5.0.3 and asm:asm:3.0.

According to "first declaration wins" class loading strategy, only this class in asm:asm:3.0 can be loaded, and that in org.ow2.asm:asm:5.0.3 will be shadowed.

By further analyzing, your project expects to invoke method org.objectweb.asm.Type.getObjectType in org.ow2.asm:asm:5.0.3. As it has been shadowed, so that this method defined in asm:asm:3.0 are actually forced to be referenced via the following invocation path:

<burp.VulnersService: checkSoftware(Ljava/lang/String;Lburp/models/Software;Lburp/IHttpRequestResponse;Ljava/util/List;)V> /root/sensor/unzip/burp-vulners-scanner-1.2/target/classes
<com.googlecode.concurrentlinkedhashmap.ConcurrentHashMapV8: get(Ljava/lang/Object;)Ljava/lang/Object;> /root/.m2/repository/com/googlecode/concurrentlinkedhashmap/concurrentlinkedhashmap-lru/1.4.2/concurrentlinkedhashmap-lru-1.4.2.jar
<org.apache.commons.lang3.time.DurationFormatUtils$Token: equals(Ljava/lang/Object;)Z> /root/.m2/repository/org/apache/commons/commons-lang3/3.1/commons-lang3-3.1.jar
<org.objectweb.asm.tree.analysis.BasicValue: toString()Ljava/lang/String;> /root/.m2/repository/org/ow2/asm/asm-analysis/5.0.3/asm-analysis-5.0.3.jar
<org.objectweb.asm.tree.analysis.BasicValue: <clinit>()V> /root/.m2/repository/org/ow2/asm/asm-analysis/5.0.3/asm-analysis-5.0.3.jar
<org.objectweb.asm.Type: getObjectType(Ljava/lang/String;)Lorg/objectweb/asm/Type;>

Workaround solution:
An easy way to workaround the problem is reversing the declaration order of these two libraries (i.e., reverse the declaration order of httpclient and maven-resolver-transport-http) in pom file.
Then, according to "first declaration wins" class loading strategy, class org.objectweb.asm.Type.getObjectType in org.ow2.asm:asm:5.0.3 can be loaded (the version that burp-vulners-scanner-1.2 expects to reference by static analysis).
This fix will not affect other libraries or class, except the above duplicate class.

Dependency tree---

[INFO] burp-vulners-scanner:burp-vulners-scanner:jar:1.2
[INFO] +- com.codemagi:burp-suite-utils:jar:LATEST:compile
[INFO] | - net.portswigger.burp.extender:burp-extender-api:jar:LATEST:compile
[INFO] +- com.intellij:forms_rt:jar:7.0.3:compile
[INFO] | +- asm:asm-commons:jar:3.0:compile
[INFO] | | - asm:asm-tree:jar:3.0:compile
[INFO] | | - asm:asm:jar:3.0:compile
[INFO] | +- com.jgoodies:forms:jar:1.1-preview:compile
[INFO] | - jdom:jdom:jar:1.0:compile
[INFO] +- org.jtwig:jtwig-core:jar:5.85.3.RELEASE:compile
[INFO] | +- org.jtwig:jtwig-reflection:jar:5.85.3.RELEASE:compile
[INFO] | | +- (com.google.guava:guava:jar:18.0:compile - omitted for duplicate)
[INFO] | | +- (org.apache.commons:commons-lang3:jar:3.1:compile - omitted for duplicate)
[INFO] | | - (org.slf4j:slf4j-api:jar:1.7.12:compile - omitted for duplicate)
[INFO] | +- com.google.guava:guava:jar:18.0:compile
[INFO] | +- org.apache.commons:commons-lang3:jar:3.1:compile
[INFO] | +- org.parboiled:parboiled-java:jar:1.1.7:compile
[INFO] | | +- org.parboiled:parboiled-core:jar:1.1.7:compile
[INFO] | | +- org.ow2.asm:asm:jar:5.0.3:compile
[INFO] | | +- org.ow2.asm:asm-tree:jar:5.0.3:compile
[INFO] | | | - (org.ow2.asm:asm:jar:5.0.3:compile - omitted for duplicate)
[INFO] | | +- org.ow2.asm:asm-analysis:jar:5.0.3:compile
[INFO] | | | - (org.ow2.asm:asm-tree:jar:5.0.3:compile - omitted for duplicate)
[INFO] | | - org.ow2.asm:asm-util:jar:5.0.3:compile
[INFO] | | - (org.ow2.asm:asm-tree:jar:5.0.3:compile - omitted for duplicate)
[INFO] | +- org.slf4j:slf4j-api:jar:1.7.12:compile
[INFO] | - com.googlecode.concurrentlinkedhashmap:concurrentlinkedhashmap-lru:jar:1.4.2:compile
[INFO] - org.json:json:jar:20160810:compile

Thank you very much.
Best,
Coco

@HelloCoCooo
Copy link
Author

Code snippet of org.objectweb.asm.Type.getObjectType in org.ow2.asm:asm:5.0.3 (shadowed but expected to invoke method):

public static Type getObjectType(final String internalName) {	//line 227
  char[] buf = internalName.toCharArray();
  return new Type(buf[0] == '[' ? ARRAY : OBJECT, buf, 0, buf.length);
}

Code snippet of org.objectweb.asm.Type.getObjectType in asm:asm:3.0 (loaded version):

public static Type getObjectType(String name) {	//line 251
  int l = name.length();
  char[] buf = new char[l + 2];
  buf[0] = 'L';
  buf[l + 1] = ';';
  name.getChars(0, l, buf, 1);
  return new Type(OBJECT, buf, 0, l + 2);
}

As a result, these conflicting method included in org.ow2.asm:asm:5.0.3 deals with different cases, which changes the control flows and data flows. So being forced to use these methods in asm:asm:3.0 may lead to inconsisitent semantic behaviors.

@HelloCoCooo
Copy link
Author

@vankyver May I pull a request to fix it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant