Reputation: 21
spring-integration-sftp v6.1.2 throws NoSuchMethodError org.apache.sshd.client.future.ConnectFuture.verify(java.time.Duration)
Upgraded sshd-sftp from 2.9.2 to 2.10.0 and test failed with exception below.
java.lang.NoSuchMethodError: 'java.lang.Object org.apache.sshd.client.future.ConnectFuture.verify(java.time.Duration)'
at org.springframework.integration.sftp.session.DefaultSftpSessionFactory.initClientSession(DefaultSftpSessionFactory.java:316)
at org.springframework.integration.sftp.session.DefaultSftpSessionFactory.getSession(DefaultSftpSessionFactory.java:282)
Package dependencies [Spring boot v3.1.2]:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-integration</artifactId>
<version>3.1.2</version>
</dependency>
<dependency>
<groupId>org.springframework.integration</groupId>
<artifactId>spring-integration-sftp</artifactId>
<version>6.1.2</version>
<exclusions>
<exclusion> <!-- Security Fix from 2.9.2 to 2.10.0 -->
<groupId>org.apache.sshd</groupId>
<artifactId>sshd-sftp</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.sshd</groupId>
<artifactId>sshd-sftp</artifactId>
<version>2.10.0</version>
</dependency>
I tried adding the test dependencies and same exception is raised. Shifting back to 2.9.2 with sshd-sftp works.
Upvotes: 2
Views: 1475
Answers (1)
Reputation: 121482
Consider to exclude just group:
<exclusion> <!-- Security Fix from 2.9.2 to 2.10.0 -->
<groupId>org.apache.sshd</groupId>
</exclusion>
That ConnectFuture.verify() comes from the sshd-common which I believe is left somehow as a transitive dependency in old version. Although we didn't change that code in the DefaultSftpSessionFactory when we had upgraded Spring Integration 6.2 to MINA 2.10.0.
The signature of that method was changed, though:
default T verify(Duration timeout) throws IOException {
in 2.9.2 and:
default T verify(Duration timeout, CancelOption... options) throws IOException
in 2.10.0. So, that Spring Integration version is not going to work against that new version since byte code does not match. It has to be recompiled against new version.
The problem is that according to our policy we cannot upgrade to minor version in our point version.
According to the vulnerability description: https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHESSHD-5769686, we don't need to worry about expose if we don't do MINA SFTP server. Spring Integration SFTP module is really about SFTP client. As long as you don't deal with MINA server, you are OK to stick with 2.9.2 until we release Spring Integration 6.2 this Fall.
Upvotes: 2
Related Questions
- How to configure port for a Spring Boot application
- authentication in microservice, login problem
- Spring Integration Test not working with Spring Boot 3 and Spring Cloud Gateway
- NoSuchMethodError: com.mongodb.MongoClientSettings$Builder.uuidRepresentation
- Spring controller is not supporting ServerHttpRequest
- How to configure Spring Boot with elasticsearch 5.2.1?