An illegal reflective access operation has occurred

Question

An illegal reflective access operation has occurred

patpatpat123 opened this issue 3 years ago · 9 comments

Hello Team,

Thank you for this very cool project.

I wanted to report an issue here if you allow me please:

On a very simple maven + SpringBoot project, I am always getting this:

[INFO] --- dependency-check-maven:7.0.1:aggregate (default) @ myproject ---
[INFO] Checking for updates
[INFO] Download Started for NVD CVE - Modified
[INFO] Download Complete for NVD CVE - Modified  (2508 ms)
[INFO] Processing Started for NVD CVE - Modified
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.fasterxml.jackson.module.afterburner.util.MyClassLoader (file:/Users/me/.m2/repository/com/fasterxml/jackson/module/jackson-module-afterburner/2.13.2/jackson-module-afterburner-2.13.2.jar) to method java.lang.ClassLoader.findLoadedClass(java.lang.String)
WARNING: Please consider reporting this to the maintainers of com.fasterxml.jackson.module.afterburner.util.MyClassLoader
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

I understand there are ways to "hie" the issue.

But I was wondering, if you can help fix this issue please?

Thank you

Answer 1 · 2022-04-04T18:57:37.000Z

@patpatpat123 This output unfortunately does not explain WHICH class is problematic, or how to reproduce it. So we cannot really help with it without more information.

So a reproduction would be needed.

Answer 2 · 2022-04-06T05:44:26.000Z

Understood, let me put together an example

Answer 3 · 2022-04-19T07:06:03.000Z

Failing to reproduce. Will open an issue again with the sample if I mange to reproduce.

Thank you

Answer 4 · 2022-04-20T08:44:11.000Z

As I just closed, I managed to reproduce:
A reproducible example can be found at: https://github.com/patpatpat123/springvaultcve
After running the command, this is always reproducible: mvn clean install dependency:tree -X

[INFO] --- dependency-check-maven:7.0.4:aggregate (default) @ vaxholm ---
[INFO] Checking for updates
[INFO] Download Started for NVD CVE - Modified
[INFO] Download Complete for NVD CVE - Modified  (6101 ms)
[INFO] Processing Started for NVD CVE - Modified
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.fasterxml.jackson.module.afterburner.util.MyClassLoader (file:/Users/me/.m2/repository/com/fasterxml/jackson/module/jackson-module-afterburner/2.13.2/jackson-module-afterburner-2.13.2.jar) to method java.lang.ClassLoader.findLoadedClass(java.lang.String)
WARNING: Please consider reporting this to the maintainers of com.fasterxml.jackson.module.afterburner.util.MyClassLoader
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

Cold you please kindly help?

Answer 5 · 2023-07-17T17:26:17.000Z

This output unfortunately does not explain WHICH class is problematic, or how to reproduce it. So we cannot really help with it without more information.

The error message points to ClassLoader.findLoadedClass, which Afterburner forcibly accesses here:

https://github.com/FasterXML/jackson-modules-base/blob/2.16/afterburner/src/main/java/com/fasterxml/jackson/module/afterburner/util/MyClassLoader.java#L180

I believe all of these setAccessible calls into base Java classes cause this warning, and will cease to work in newer JVMs.

I am not sure why the dependency-check-maven plugin uses Afterburner, but unless the speed of reading JSON is really the limiting factor, the easiest fix might be for the dependency-check-maven plugin to drop its usage of Afterburner.

Answer 6 · 2023-07-17T17:28:51.000Z

@patpatpat123 , what version of the JDK do you run this with?

Answer 7 · 2023-07-17T17:33:31.000Z

It looks like the Maven plugin attempts to select Afterburner vs Blackbird based on JDK version:

jeremylong/DependencyCheck#4971

So, it is possible everything is ok here.

Answer 8 · 2023-07-18T00:00:41.000Z

I am using JDK 11, managed to reproduce with JDK 17 as well.

Answer 9 · 2023-07-18T02:59:18.000Z

Ok, there is nothing we can do here I think: this forced access is required by Afterburner and either user has to open access on later JDKs, or not use Afterburner (use of Blackbird is recommended).
So this warning is not something I know how to avoid.

I don't have strong opinion on if and how other projects should use Afterburner -- it probably wouldn't make much sense usually for Maven plug-in, but it looks like DependencyCheck is (or can be?) standalone tool and performance improvements are measurable.

Closing.