Expand my Community achievements bar.

SOLVED

GSON version update to 2.8.9 issue

Avatar

Level 3
Hi All,
 
We are using Gson in our AEM code repository but below Gson version 2.8.9 it has a security vulnerability. To fix this we should increase the Gson maven version equal or greater than 2.8.9.
In our AEM code repository we tried updating the gson version from 2.8.0 to 2.8.9 along with that we also updated the Junit version from 4.12.0 to 4.13.2 as suggested in maven.
Post update of Gson version the code is compiling fine, but Junit test cases are started failing with the below exception. Till Gson version 2.8.8 everything works fine but from version 2.8.9 the Junit started failing.
Hoping many of us might be using Gson in code repositories, so anyone who faced this issue and find a fix, kindly let us know.
Thanks in advance.
 
Exception
java.lang.NoSuchFieldError: FACTORY
at com.google.gson.Gson.<init>(Gson.java:200)
at com.google.gson.Gson.<init>(Gson.java:174)
 
Maven Dependency
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
<version>2.8.9</version>
</dependency>
1 Accepted Solution

Avatar

Correct answer by
Level 3

Hi @SantoshSai ,

 

I figured out what is causing the issue. It's the AEM Uber Jar. Things are working fine until I added the Uber Jar dependency. We are using AEM 6.4.8 version and it seems that the Uber jar version 6.4.8 using Gson transitive dependency of 2.8.2 version and while running the test case it is picking the version 2.8.2.

I fixed it by simply changing the order of including dependency where Gson dependency is included first and after that Uber Jar dependency. Showing sample below. That solves my issue of test case failing.

 

<dependencies>
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
<version>2.9.0</version>
</dependency>
<dependency>
<groupId>com.adobe.aem</groupId>
<artifactId>uber-jar</artifactId>
<version>6.4.8</version>
<classifier>apis</classifier>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.13.2</version>
<scope>test</scope>
</dependency>
</dependencies>

View solution in original post

5 Replies

Avatar

Community Advisor

Hi @brijesht7477132 ,

Try removing private static modifier 

private static final Gson gson = new Gson();  
--> Gson gson = new Gson();

Hope that helps!

Regards,

Santosh

Avatar

Level 3

@SantoshSai : Thank you for the response. But we are using the Gson object as a method local variable, not as a class-level variable, the line which we used to create Gson object is mentioned below.

Just to add it is working till version 2.8.8 but as soon as make it 2.8.9 version from where the vulnerability is removed it is started failing.

 

Gson gson = new GsonBuilder().disableHtmlEscaping().create();

Avatar

Community Advisor

@brijesht7477132 Unfortunately, I don't have such project at the moment to test it myself, I'm posting few trial-and-error solutions at my best - please bear with me  

<dependency> 
    <groupId>com.google.code.gson<groupId>
    <artifactId>gson</artifactId>
    <version>2.8.9</version>
    <scope>test</scope>
</dependency>

Or do you have any sample project to share with me? 

Avatar

Correct answer by
Level 3

Hi @SantoshSai ,

 

I figured out what is causing the issue. It's the AEM Uber Jar. Things are working fine until I added the Uber Jar dependency. We are using AEM 6.4.8 version and it seems that the Uber jar version 6.4.8 using Gson transitive dependency of 2.8.2 version and while running the test case it is picking the version 2.8.2.

I fixed it by simply changing the order of including dependency where Gson dependency is included first and after that Uber Jar dependency. Showing sample below. That solves my issue of test case failing.

 

<dependencies>
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
<version>2.9.0</version>
</dependency>
<dependency>
<groupId>com.adobe.aem</groupId>
<artifactId>uber-jar</artifactId>
<version>6.4.8</version>
<classifier>apis</classifier>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.13.2</version>
<scope>test</scope>
</dependency>
</dependencies>