Skip to content

Spring Boot 3.2.0 with Hibernate 6.4 reports ANTLR version mismatch #3262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
maurice85 opened this issue Dec 8, 2023 · 4 comments
Closed

Spring Boot 3.2.0 with Hibernate 6.4 reports ANTLR version mismatch #3262

maurice85 opened this issue Dec 8, 2023 · 4 comments
Assignees
@mp911de
Labels
type: task A general task
Milestone
3.2.1 (2023.1.1)

Comments

@maurice85
Copy link

maurice85 commented Dec 8, 2023
edited
Loading

Hibernate 6.4.0.Final uses antlr4 version 4.13.0 but spring-boot-starter-data-jpa 3.2.0 still uses antlr4 version 4.10.1. This causes the warning message

ANTLR Tool version 4.13.0 used for code generation does not match the current runtime version 4.10.1.

I've resolved this problem by excluding the dependency 4.10.1 from spring-boot-starter-data-jpa 3.2.0 and explicitly adding antlr 4.13.0 with

<dependency>
    <groupId>org.antlr</groupId>
    <artifactId>antlr4-runtime</artifactId>
    <version>4.13.0</version>
    <scope>runtime</scope>
</dependency>

However because the version is hardcoded in org.data.jpa.repository.query.HqlLexer and other jpa classes that use RuntimeMetaData.checkVersion(); I still get the same warning during application startup.

Please make spring boot jpa use antlr4 4.13.0 and update the hardcoded string "4.10.1" to "4.13.0"
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Dec 8, 2023
@mp911de mp911de changed the title spring-boot-starter-data-jpa 3.2.0 antl4 version alignment issue Spring Boot 3.2.0 with Hibernate 6.4 reports ANTLR version mismatch Dec 8, 2023
@mp911de mp911de added type: task A general task and removed status: waiting-for-triage An issue we've not yet triaged labels Dec 8, 2023
@mp911de mp911de added this to the 3.2.1 (2023.1.1) milestone Dec 8, 2023
@mp911de mp911de self-assigned this Dec 8, 2023
mp911de added a commit that referenced this issue Dec 8, 2023
@mp911de
Upgrade to Antlr 4.13.0.
e1ef583 
Align with Hibernate 6.4.0.

Closes #3262
See #3239
mp911de added a commit that referenced this issue Dec 8, 2023
@mp911de
Add assertion to verify Hibernate vs. our ANTLR versions.
b5d747d 
See #3262
mp911de added a commit that referenced this issue Dec 8, 2023
@mp911de
Add assertion to verify Hibernate vs. our ANTLR versions.
4924fea 
See #3262
mp911de added a commit that referenced this issue Dec 8, 2023
@mp911de
Add assertion to verify Hibernate vs. our ANTLR versions.
42a20a0 
See #3262
@mp911de
Copy link
Member

mp911de commented Dec 8, 2023

This is essentially a part of #3239. A few things come together. Both, Hibernate and Spring Data use ANTLR and ANTLR tooling generates the classes containing the version check that you've discovered.

With Hibernate being managed by Spring Boot while the ANTLR version being pulled in by Spring Data JPA, there are a few components that could introduce a skew in versions (e.g. if Spring Data JPA builds against a Hibernate service release different than Spring Boot and that service release uses a different version than Spring Data JPA).

Also, these version checks introduce an entirely different problem. In the case of a CVE in ANTLR, you would most likely switch to a fixed version while Hibernate or Spring Data are on a different release cadence causing the warning to become visible again.

@mp911de mp911de closed this as completed Dec 8, 2023
@veluxer62 veluxer62 mentioned this issue Jan 11, 2024
Closed
@vins01-4science vins01-4science mentioned this issue Apr 15, 2024
Closed
@serv-inc
Copy link

serv-inc commented Oct 21, 2024
edited
Loading

Thanks for addressing this. The warning still appears for spring boot 3.3.4 (as that still uses hibernate 6.2.15). Are there any plans to fix it there as well ?

@mp911de
Copy link
Member

mp911de commented Oct 21, 2024

Spring Boot 3.3.4 defines Hibernate 6.5.3.Final as version.

@serv-inc
Copy link

Thanks ! Seems like something is wrong on our end, then:

[INFO] | +- org.springframework.boot:spring-boot-starter-data-jpa:jar:3.3.4:compile
[INFO] | | +- org.springframework.boot:spring-boot-starter-aop:jar:3.3.4:compile
[INFO] | | | - org.aspectj:aspectjweaver:jar:1.9.22.1:compile
[INFO] | | +- org.springframework.boot:spring-boot-starter-jdbc:jar:3.3.4:compile
[INFO] | | | +- com.zaxxer:HikariCP:jar:5.1.0:compile
[INFO] | | | - org.springframework:spring-jdbc:jar:6.1.13:compile
[INFO] | | +- org.hibernate.orm:hibernate-core:jar:6.2.15.Final:compile
[INFO] | | | +- jakarta.persistence:jakarta.persistence-api:jar:3.1.0:compile
[INFO] | | | +- jakarta.transaction:jakarta.transaction-api:jar:2.0.1:compile
[INFO] | | | +- com.fasterxml:classmate:jar:1.7.0:compile
[INFO] | | | +- net.bytebuddy:byte-buddy:jar:1.14.19:compile
[INFO] | | | +- jakarta.inject:jakarta.inject-api:jar:2.0.1:runtime
[INFO] | | | - org.antlr:antlr4-runtime:jar:4.10.1:compile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mp911de mp911de

Labels
type: task A general task
Projects
None yet
Milestone
3.2.1 (2023.1.1)
Development

No branches or pull requests
4 participants
@mp911de @serv-inc @spring-projects-issues @maurice85