Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cyclonedxBom task does not finish - endless loop on creating bom #528

Open
tkrah opened this issue Oct 22, 2024 · 4 comments
Open

cyclonedxBom task does not finish - endless loop on creating bom #528

tkrah opened this issue Oct 22, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@tkrah
Copy link

tkrah commented Oct 22, 2024
edited
Loading

Run the task and it will just loop on:

	at com.google.common.collect.ImmutableList.copyOf(ImmutableList.java:265)
	at org.gradle.internal.resources.AbstractResourceLockRegistry.getResourceLocksByCurrentThread(AbstractResourceLockRegistry.java:42)
	at org.gradle.internal.work.DefaultWorkerLeaseService.getCurrentWorkerLease(DefaultWorkerLeaseService.java:100)
	at org.gradle.internal.operations.DefaultBuildOperationQueueFactory.create(DefaultBuildOperationQueueFactory.java:33)
	at org.gradle.internal.operations.DefaultBuildOperationExecutor.executeInParallel(DefaultBuildOperationExecutor.java:95)
	at org.gradle.internal.operations.DefaultBuildOperationExecutor.runAll(DefaultBuildOperationExecutor.java:65)
	at org.gradle.api.internal.artifacts.ivyservice.resolveengine.artifact.ParallelResolveArtifactSet$VisitingSet.visit(ParallelResolveArtifactSet.java:66)
	at org.gradle.api.internal.artifacts.DefaultResolvedDependency.sort(DefaultResolvedDependency.java:132)
	at org.gradle.api.internal.artifacts.DefaultResolvedDependency.getModuleArtifacts(DefaultResolvedDependency.java:110)
	at org.cyclonedx.gradle.CycloneDxTask.getJarArtifact(CycloneDxTask.java:446)
	at org.cyclonedx.gradle.CycloneDxTask.dependencyWithoutJarArtifact(CycloneDxTask.java:415)
	at org.cyclonedx.gradle.CycloneDxTask$$Lambda/0x00007bc8c1199510.test(Unknown Source)
	at java.util.stream.MatchOps$1MatchSink.accept([email protected]/MatchOps.java:90)
	at java.util.Spliterators$IteratorSpliterator.tryAdvance([email protected]/Spliterators.java:1950)
	at java.util.stream.ReferencePipeline.forEachWithCancel([email protected]/ReferencePipeline.java:129)
	at java.util.stream.AbstractPipeline.copyIntoWithCancel([email protected]/AbstractPipeline.java:527)
	at java.util.stream.AbstractPipeline.copyInto([email protected]/AbstractPipeline.java:513)
	at java.util.stream.AbstractPipeline.wrapAndCopyInto([email protected]/AbstractPipeline.java:499)
	at java.util.stream.MatchOps$MatchOp.evaluateSequential([email protected]/MatchOps.java:230)
	at java.util.stream.MatchOps$MatchOp.evaluateSequential([email protected]/MatchOps.java:196)
	at java.util.stream.AbstractPipeline.evaluate([email protected]/AbstractPipeline.java:234)
	at java.util.stream.ReferencePipeline.anyMatch([email protected]/ReferencePipeline.java:632)
	at org.cyclonedx.gradle.CycloneDxTask.lambda$createBom$6(CycloneDxTask.java:357)
	at org.cyclonedx.gradle.CycloneDxTask$$Lambda/0x00007bc8c1052b58.accept(Unknown Source)
	at java.util.stream.ForEachOps$ForEachOp$OfRef.accept([email protected]/ForEachOps.java:184)
	at java.util.stream.ReferencePipeline$2$1.accept([email protected]/ReferencePipeline.java:179)
	at java.util.HashMap$KeySpliterator.forEachRemaining([email protected]/HashMap.java:1715)
	at java.util.stream.AbstractPipeline.copyInto([email protected]/AbstractPipeline.java:509)
	at java.util.stream.AbstractPipeline.wrapAndCopyInto([email protected]/AbstractPipeline.java:499)
	at java.util.stream.ForEachOps$ForEachOp.evaluateSequential([email protected]/ForEachOps.java:151)
	at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential([email protected]/ForEachOps.java:174)
	at java.util.stream.AbstractPipeline.evaluate([email protected]/AbstractPipeline.java:234)
	at java.util.stream.ReferencePipeline.forEach([email protected]/ReferencePipeline.java:596)
	at org.cyclonedx.gradle.CycloneDxTask.createBom(CycloneDxTask.java:330)

To Reproduce
Use this alignment rule to fix some dependencies:

// CVE-2024-38816 + https://github.com/gradle/gradle/issues/9160
class SpringBomAlignmentRule implements ComponentMetadataRule {
	void execute(ComponentMetadataContext ctx) {
		ctx.details.with {
			if (id.group.startsWith("org.springframework")) {
				belongsTo("org.springframework:spring-framework-bom:6.1.14", false)
			}
		}
	}
}

subprojects {
	pluginManager.withPlugin("java") {
		dependencies {
			components.all(SpringBomAlignmentRule)
		}
	}
}

gradle dependencies --configuration productionRuntimeClasspath

does run without a problem, resulting in the correct dependencies.

A workaround which seems to "break" the loop is this:

			if (id.group.startsWith("org.springframework")) {
				if (id.name != "spring-framework-bom") {
					belongsTo("org.springframework:spring-framework-bom:6.1.14", false)
				}
			}

Expected behavior
gradle cyclonedxBom should not loop endlessly.

Environment
cyclonedx = { id = 'org.cyclonedx.bom', version = "1.8.2" } - we can't use 1.9.x yet because of #482
@tkrah tkrah added the bug Something isn't working label Oct 22, 2024
@tkrah tkrah changed the title cyclonedxBom task does not finish not finish - endless loop on creating bom cyclonedxBom task does not finish- endless loop on creating bom Oct 22, 2024
@tkrah tkrah changed the title cyclonedxBom task does not finish- endless loop on creating bom cyclonedxBom task does not finish - endless loop on creating bom Oct 22, 2024
@skhokhlov skhokhlov mentioned this issue Oct 28, 2024
Open
@gordonrousselle
Copy link

Hi @tkrah Is it possible to provide the full build.gradle that caused this issue?

I have encountered a similar issue (infinite loop) recently. The scenario was a dependency graph which contained a loop between non-jar dependencies. I suspect the same might be happening here, but I would need to understand what dependencies are declared.

@tkrah
Copy link
Author

tkrah commented Nov 4, 2024

Hi @tkrah Is it possible to provide the full build.gradle that caused this issue?

I have encountered a similar issue (infinite loop) recently. The scenario was a dependency graph which contained a loop between non-jar dependencies. I suspect the same might be happening here, but I would need to understand what dependencies are declared.

https://github.com/tkrah/cyclonedx-528

@gordonrousselle
Copy link

Hi @tkrah. Thanks for sending the full configuration. I have tried it out and as expected it is a loop between non-jar dependencies. More specifically it is the bom org.springframework:spring-framework-bom:6.1.14 that has itself as a dependency. You can easily see this when you run the dependencies gradle task.

Note that the PR #532 is aiming to resolve a lot of existing issue including this one. I have tested it out and it works fine with those changes.

@tkrah
Copy link
Author

tkrah commented Nov 5, 2024

Hi @tkrah. Thanks for sending the full configuration. I have tried it out and as expected it is a loop between non-jar dependencies. More specifically it is the bom org.springframework:spring-framework-bom:6.1.14 that has itself as a dependency. You can easily see this when you run the dependencies gradle task.

Note that the PR #532 is aiming to resolve a lot of existing issue including this one. I have tested it out and it works fine with those changes.

Yeah I knew it had to be this one, because the workaround was to let the alignment rule exclude this bom - thanks for confirming and I am looking forward to #532 .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tkrah @gordonrousselle