修复snakeyaml漏洞,与maven打包二三事
1.背景
snakeyaml:1.33被扫描出漏洞,需要升级版本;
升级版本后发现与spring-boot-nacos-starter依赖的snakeyaml不兼容;
java.lang.NoSuchMethodError: org.yaml.snakeyaml.constructor.Constructor: method <init>()V not found
参照网上的方法重写几个类以及无参构造函数,成功解决问题;
但是有个应用是依赖的jar包单独打包的,就导致无法载入自己重写的snakeyaml的类。
2.原始pom.xml
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <parent> <artifactId>xdd</artifactId> <groupId>com.pcl.pero</groupId> <version>1.0.0-SNAPSHOT</version> </parent> <modelVersion>1.0.0</modelVersion> <artifactId>pcl-pero</artifactId> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter</artifactId> </dependency> <dependency> <groupId>com.alibaba.boot</groupId> <artifactId>nacos-config-spring-boot-starter</artifactId> <version>0.3.0-RC</version> </dependency> </dependencies> <build> <finalName>pcl-pero</finalName> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-dependency-plugin</artifactId> <executions> <execution> <id>copy</id> <phase>package</phase> <goals> <goal>copy-dependencies</goal> </goals> <configuration> <!--指定的依赖路径--> <outputDirectory> ${project.build.directory}/lib </outputDirectory> <excludeGroupIds> org.projectlombok </excludeGroupIds> </configuration> </execution> </executions> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-jar-plugin</artifactId> <configuration> <archive> <manifest> <!--addClasspath表示需要加入到类构建路径--> <addClasspath>true</addClasspath> <!--classpathPrefix指定生成的Manifest文件中Class-Path依赖lib前面都加上路径,构建出lib/xx.jar--> <classpathPrefix>lib/</classpathPrefix> </manifest> </archive> </configuration> </plugin> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> <configuration> <layout>ZIP</layout> <includes> <include> <groupId>${groupId}</groupId> <artifactId>${artifactId}</artifactId> </include> </includes> </configuration> </plugin> </plugins> </build> </project>
3.如何修复
主要思想就是自己打一个修改好代码的jar包,打包的时候再引用这个jar包
1.使用maven-dependency-plugin的unpack将重写的方法覆盖jar包里方法,并解压到${project.build.directory}/classes路径,后续可以注释掉
2.去${project.build.directory}/classes下打包新jar包,jar cvf snakeyaml-2.2.jar ./org
3.把新打包的jar包添加进来,参考https://www.cnblogs.com/wdgde/p/16541641.html
4.exclusion排除依赖
5.maven-jar-plugin配置manifestEntries,手动添加lib/snakeyaml-2.2.jar
4.修改后的pom.xml
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <parent> <artifactId>xdd</artifactId> <groupId>com.pcl.pero</groupId> <version>1.0.0-SNAPSHOT</version> </parent> <modelVersion>1.0.0</modelVersion> <artifactId>pcl-pero</artifactId> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter</artifactId> </dependency> <dependency> <groupId>com.alibaba.boot</groupId> <artifactId>nacos-config-spring-boot-starter</artifactId> <version>0.3.0-RC</version> <exclusions> <exclusion> <groupId>org.yaml</groupId> <artifactId>snakeyaml</artifactId> </exclusion> </exclusions> </dependency> <dependency> <groupId>org.yaml</groupId> <artifactId>snakeyaml</artifactId> <version>2.2</version> <scope>system</scope> <systemPath>${project.basedir}/lib/snakeyaml-2.2.jar</systemPath> </dependency> </dependencies> <build> <finalName>pcl-pero</finalName> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-dependency-plugin</artifactId> <executions> <execution> <id>unpack</id> <phase>generate-sources</phase> <goals> <goal>unpack</goal> </goals> <configuration> <artifactItems> <artifactItem> <groupId>org.yaml</groupId> <artifactId>snakeyaml</artifactId> <overWrite>false</overWrite> <outputDirectory>${project.build.directory}/classes</outputDirectory> </artifactItem> </artifactItems> </configuration> </execution> <execution> <id>copy</id> <phase>package</phase> <goals> <goal>copy-dependencies</goal> </goals> <configuration> <!--指定的依赖路径--> <outputDirectory> ${project.build.directory}/lib </outputDirectory> <excludeGroupIds> org.projectlombok </excludeGroupIds> </configuration> </execution> </executions> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-jar-plugin</artifactId> <configuration> <archive> <manifest> <!--addClasspath表示需要加入到类构建路径--> <addClasspath>true</addClasspath> <!--classpathPrefix指定生成的Manifest文件中Class-Path依赖lib前面都加上路径,构建出lib/xx.jar--> <classpathPrefix>lib/</classpathPrefix> </manifest> <manifestEntries> <Class-Path>lib/snakeyaml-2.2.jar</Class-Path> </manifestEntries> </archive> </configuration> </plugin> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> <configuration> <layout>ZIP</layout> <includes> <include> <groupId>${groupId}</groupId> <artifactId>${artifactId}</artifactId> </include> </includes> </configuration> </plugin> </plugins> </build> </project>
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· TypeScript + Deepseek 打造卜卦网站:技术与玄学的结合
· Manus的开源复刻OpenManus初探
· AI 智能体引爆开源社区「GitHub 热点速览」
· 三行代码完成国际化适配,妙~啊~
· .NET Core 中如何实现缓存的预热?