1.背景
snakeyaml:1.33被掃描出漏洞,需要升級版本;
升級版本後發現與spring-boot-nacos-starter依賴的snakeyaml不相容;
java.lang.NoSuchMethodError: org.yaml.snakeyaml.constructor.Constructor: method <init>()V not found
參照網上的方法重寫幾個類以及無參建構函式,成功解決問題;
但是有個應用是依賴的jar包單獨打包的,就導致無法載入自己重寫的snakeyaml的類。
2.原始pom.xml
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <parent> <artifactId>xdd</artifactId> <groupId>com.pcl.pero</groupId> <version>1.0.0-SNAPSHOT</version> </parent> <modelVersion>1.0.0</modelVersion> <artifactId>pcl-pero</artifactId> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter</artifactId> </dependency> <dependency> <groupId>com.alibaba.boot</groupId> <artifactId>nacos-config-spring-boot-starter</artifactId> <version>0.3.0-RC</version> </dependency> </dependencies> <build> <finalName>pcl-pero</finalName> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-dependency-plugin</artifactId> <executions> <execution> <id>copy</id> <phase>package</phase> <goals> <goal>copy-dependencies</goal> </goals> <configuration> <!--指定的依賴路徑--> <outputDirectory> ${project.build.directory}/lib </outputDirectory> <excludeGroupIds> org.projectlombok </excludeGroupIds> </configuration> </execution> </executions> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-jar-plugin</artifactId> <configuration> <archive> <manifest> <!--addClasspath表示需要加入到類構建路徑--> <addClasspath>true</addClasspath> <!--classpathPrefix指定生成的Manifest檔案中Class-Path依賴lib前面都加上路徑,構建出lib/xx.jar--> <classpathPrefix>lib/</classpathPrefix> </manifest> </archive> </configuration> </plugin> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> <configuration> <layout>ZIP</layout> <includes> <include> <groupId>${groupId}</groupId> <artifactId>${artifactId}</artifactId> </include> </includes> </configuration> </plugin> </plugins> </build> </project>
3.如何修復
主要思想就是自己打一個修改好程式碼的jar包,打包的時候再引用這個jar包
1.使用maven-dependency-plugin的unpack將重寫的方法覆蓋jar包裡方法,並解壓到${project.build.directory}/classes路徑,後續可以註釋掉
2.去${project.build.directory}/classes下打包新jar包,jar cvf snakeyaml-2.2.jar ./org
3.把新打包的jar包新增進來,參考https://www.cnblogs.com/wdgde/p/16541641.html
4.exclusion排除依賴
5.maven-jar-plugin配置manifestEntries,手動新增lib/snakeyaml-2.2.jar
4.修改後的pom.xml
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <parent> <artifactId>xdd</artifactId> <groupId>com.pcl.pero</groupId> <version>1.0.0-SNAPSHOT</version> </parent> <modelVersion>1.0.0</modelVersion> <artifactId>pcl-pero</artifactId> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter</artifactId> </dependency> <dependency> <groupId>com.alibaba.boot</groupId> <artifactId>nacos-config-spring-boot-starter</artifactId> <version>0.3.0-RC</version> <exclusions> <exclusion> <groupId>org.yaml</groupId> <artifactId>snakeyaml</artifactId> </exclusion> </exclusions> </dependency> <dependency> <groupId>org.yaml</groupId> <artifactId>snakeyaml</artifactId> <version>2.2</version> <scope>system</scope> <systemPath>${project.basedir}/lib/snakeyaml-2.2.jar</systemPath> </dependency> </dependencies> <build> <finalName>pcl-pero</finalName> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-dependency-plugin</artifactId> <executions> <execution> <id>unpack</id> <phase>generate-sources</phase> <goals> <goal>unpack</goal> </goals> <configuration> <artifactItems> <artifactItem> <groupId>org.yaml</groupId> <artifactId>snakeyaml</artifactId> <overWrite>false</overWrite> <outputDirectory>${project.build.directory}/classes</outputDirectory> </artifactItem> </artifactItems> </configuration> </execution> <execution> <id>copy</id> <phase>package</phase> <goals> <goal>copy-dependencies</goal> </goals> <configuration> <!--指定的依賴路徑--> <outputDirectory> ${project.build.directory}/lib </outputDirectory> <excludeGroupIds> org.projectlombok </excludeGroupIds> </configuration> </execution> </executions> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-jar-plugin</artifactId> <configuration> <archive> <manifest> <!--addClasspath表示需要加入到類構建路徑--> <addClasspath>true</addClasspath> <!--classpathPrefix指定生成的Manifest檔案中Class-Path依賴lib前面都加上路徑,構建出lib/xx.jar--> <classpathPrefix>lib/</classpathPrefix> </manifest> <manifestEntries> <Class-Path>lib/snakeyaml-2.2.jar</Class-Path> </manifestEntries> </archive> </configuration> </plugin> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> <configuration> <layout>ZIP</layout> <includes> <include> <groupId>${groupId}</groupId> <artifactId>${artifactId}</artifactId> </include> </includes> </configuration> </plugin> </plugins> </build> </project>