Kaifeng Huang created FLINK-11621:
-------------------------------------
Summary: Your project apache/flink is using buggy third-party
libraries [WARNING]
Key: FLINK-11621
URL: https://issues.apache.org/jira/browse/FLINK-11621
Project: Flink
Issue Type: Bug
Reporter: Kaifeng Huang
Hi, there!
We are a research team working on third-party library analysis. We have
found that some widely-used third-party libraries in your project have
major/critical bugs, which will degrade the quality of your project. We highly
recommend you to update those libraries to new versions.
We have attached the buggy third-party libraries and corresponding jira
issue links below for you to have more detailed information.
1. org.apache.logging.log4j log4j-core
version: 2.9.1
Jira issues:
Nested pattern layout options broken
affectsVersions:2.4.1,2.9.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1216?filter=allopenissues
Messages appear out of order in log file (was: Log4j2 log file not
reflecting application log function calls)
affectsVersions:2.8.2,2.9.0,2.9.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2031?filter=allopenissues
ServiceConfigurationError in Tomcat when Log4j is used as the logging
implementation
affectsVersions:2.9.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2055?filter=allopenissues
Can't set monitorInterval for composite XML configuration.
affectsVersions:2.9.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2068?filter=allopenissues
Log4j-config.xsd should make AppenderRef optional for each Logger
element
affectsVersions:2.9.0,2.9.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2073?filter=allopenissues
The console appender should say why it cannot load JAnsi
affectsVersions:2.9.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2074?filter=allopenissues
Property log4j.skipJansi should have a default of true
affectsVersions:2.9.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2087?filter=allopenissues
Log4j respects the configured "log4j2.is.webapp" property
affectsVersions:2.9.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2091?filter=allopenissues
LevelMixIn class for Jackson is coded incorrectly
affectsVersions:2.9.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2100?filter=allopenissues
non-string value MapMessage ClassCastException
affectsVersions:2.9.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2101?filter=allopenissues
MapMessage JSON encoding should escape keys and values
affectsVersions:2.9.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2102?filter=allopenissues
MapMessage should support both StringBuilderFormattable and
MultiformatMessage
affectsVersions:2.9.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2107?filter=allopenissues
Json escaping does not properly escape newlines and other control
characters
affectsVersions:2.9.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2120?filter=allopenissues
Remove Log4J API dependency on Management APIs
affectsVersions:2.9.1,2.10.0
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2126?filter=allopenissues
MutableLogEvent instances get reused before flushing when using a NoSql
Appender with a bufferSize
affectsVersions:2.9.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2140?filter=allopenissues
fix the CacheEntry map in ThrowableProxy#toExtendedStackTrace to be put
and gotten with same key
affectsVersions:2.6.2,2.7,2.8,2.8.1,2.8.2,2.9.0,2.9.1,2.10.0,2.11.0
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2389?filter=allopenissues
2. commons-cli commons-cli
version: 1.3.1
Jira issues:
Optional argument picking up next regular option as its argument
affectsVersions:1.3.1
https://issues.apache.org/jira/projects/CLI/issues/CLI-265?filter=allopenissues
HelpFormatter#setOptionComparator(null) doesn't display the values in
inserted order
affectsVersions:1.3.1
https://issues.apache.org/jira/projects/CLI/issues/CLI-266?filter=allopenissues
3. commons-io commons-io
version: 2.4
Jira issues:
IOUtils copyLarge() and skip() methods are performance hogs
affectsVersions:2.3;2.4
https://issues.apache.org/jira/projects/IO/issues/IO-355?filter=allopenissues
CharSequenceInputStream#reset() behaves incorrectly in case when buffer
size is not dividable by data size
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-356?filter=allopenissues
[Tailer] InterruptedException while the thead is sleeping is silently
ignored
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-357?filter=allopenissues
IOUtils.contentEquals* methods returns false if input1 == input2;
should return true
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-362?filter=allopenissues
Apache Commons - standard links for documents are failing
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-369?filter=allopenissues
FileUtils.sizeOfDirectoryAsBigInteger can overflow
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-390?filter=allopenissues
Regression in FileUtils.readFileToString from 2.0.1
affectsVersions:2.1;2.2;2.3;2.4
https://issues.apache.org/jira/projects/IO/issues/IO-453?filter=allopenissues
Correct exception message in FileUtils.getFile(File; String...)
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-479?filter=allopenissues
org.apache.commons.io.FileUtils#waitFor waits too long
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-481?filter=allopenissues
FilenameUtils should handle embedded null bytes
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-484?filter=allopenissues
Exceptions are suppressed incorrectly when copying files.
affectsVersions:2.4;2.5
https://issues.apache.org/jira/projects/IO/issues/IO-502?filter=allopenissues
4. org.apache.logging.log4j log4j-core
version: 2.7
Jira issues:
ClassCastException at shutdown with JUL: casting SimpleLogger to Logger
affectsVersions:2.6.2;2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1618?filter=allopenissues
OSGi support is broken in Log4j2 2.7
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1637?filter=allopenissues
RollingFileAppender with CronTriggeringPolicy broken?
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1640?filter=allopenissues
DefaultShutdownCallbackRegistry can throw a NoClassDefFoundError
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1642?filter=allopenissues
CronTriggeringPolicy breaks awefully when using "reconfigure" of
LoggerContext
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1649?filter=allopenissues
CronTriggeringPolicy uses wrong naming and produces NPE
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1653?filter=allopenissues
2.7 - ThreadContextAccess.getThreadContextMap NPE when specifying
BasicContextSelector
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1658?filter=allopenissues
Some LogEvents may not carry a Throwable (Use Message.getThrowable() in
log(Message) methods)
affectsVersions:2.5;2.6;2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1676?filter=allopenissues
Logger using LocalizedMessageFactory prints key instead of message
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1682?filter=allopenissues
NPE in ThrowableProxy when resolving stack in Java EE/OSGi environment
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1687?filter=allopenissues
Message parameter array elements are set to null during logging in
garbage-free mode
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1688?filter=allopenissues
StringBuilderFormattable Messages should used cached formatted message
if it exists
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1719?filter=allopenissues
RollingFileAppender's filePattern not reloaded when using
monitorInterval
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1725?filter=allopenissues
SslSocketManager should respect connectTimeoutMillis
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1731?filter=allopenissues
SslSocketManagerFactory might leak Sockets when certain startup errors
occur
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1734?filter=allopenissues
Update Jackson from 2.8.4 to 2.8.5
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1735?filter=allopenissues
TcpSocketManagerFactory might leak Sockets when certain startup errors
occur
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1736?filter=allopenissues
Add CronTriggeringPolicy programmatically leads to NPE
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1740?filter=allopenissues
CompositeConfiguration does not add filters to appenderRefs
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1743?filter=allopenissues
Custom logger Generate tool should not require log4j-api dependency
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1744?filter=allopenissues
RollingFile appender prevents a stand alone application to terminate
for as long as 60 sec
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1748?filter=allopenissues
Adds xmlns in schema and some other tags
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1756?filter=allopenissues
JsonLayout Throwing Exceptions And Producing Broken Logs
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1769?filter=allopenissues
Eliminate the use of the ExecutorServices in the LoggerContext
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1780?filter=allopenissues
API Version is incorrect
affectsVersions:2.6;2.6.1;2.6.2;2.7;2.8;2.8.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1836?filter=allopenissues
AsyncLogger and message formatting (ConcurrentModificationException)
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1914?filter=allopenissues
Configurations with multiple root loggers should fail loudly
affectsVersions:2.0;2.1;2.2;2.3;2.4;2.5;2.6;2.7;2.8
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1954?filter=allopenissues
TcpSocketServer does not replace any “{}” in message
affectsVersions:2.6.2;2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1969?filter=allopenissues
Log4J JUL Bridge and RMI Security Manager causes access denied
("java.util.logging.LoggingPermission" "control")
affectsVersions:2.7;2.8.2
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1987?filter=allopenissues
No compression when using a separate drive in Linux
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2012?filter=allopenissues
Configuration builder classes should look for "onMismatch"; not
"onMisMatch".
affectsVersions:2.4;2.4.1;2.5;2.6;2.6.1;2.6.2;2.7;2.8;2.8.1;2.8.2;2.9.0;2.10.0
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2219?filter=allopenissues
fix the CacheEntry map in ThrowableProxy#toExtendedStackTrace to be put
and gotten with same key
affectsVersions:2.6.2;2.7;2.8;2.8.1;2.8.2;2.9.0;2.9.1;2.10.0;2.11.0
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2389?filter=allopenissues
5. org.apache.commons commons-lang3
version: 3.3.2
Jira issues:
ISO 8601 misspelled throughout the Javadocs
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1001?filter=allopenissues
Several predefined ISO FastDateFormats in DateFormatUtils are incorrect
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1002?filter=allopenissues
DurationFormatUtils are not able to handle negative durations/periods
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1003?filter=allopenissues
DurationFormatUtils#formatDurationHMS implementation does not
correspond to Javadoc and vice versa
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1004?filter=allopenissues
NumberUtils.createNumber(final String str) Precision will be lost
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1018?filter=allopenissues
Javadoc for EqualsBuilder.reflectionEquals() is unclear
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1035?filter=allopenissues
NumberUtils#isNumber() returns false for "+2" and true for "-2"
affectsVersions:3.1;3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1038?filter=allopenissues
Javadoc for NumberUtils.isNumber() are not clear enough
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1040?filter=allopenissues
Fix MethodUtilsTest so it does not depend on JDK method ordering
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1041?filter=allopenissues
StrSubstitutor.replaceSystemProperties does not work consistently
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1055?filter=allopenissues
NumberUtils.isNumber assumes number starting with Zero is octal
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1060?filter=allopenissues
FastDateParser error - timezones not handled correctly
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1061?filter=allopenissues
Wrong formating of time zones with daylight saving time in
FastDatePrinter
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1092?filter=allopenissues
TypeUtils.ParameterizedType#equals doesn't work with wildcard types
affectsVersions:3.3.2;3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1114?filter=allopenissues
Fix bug with stripping spaces on last line in WordUtils.wrap()
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-995?filter=allopenissues
FastDateFormat is case sensitive
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-996?filter=allopenissues
NumberUtils#createNumber() returns positive BigDecimal when negative
Float is expected
affectsVersions:3.x
https://issues.apache.org/jira/projects/LANG/issues/LANG-1087?filter=allopenissues
Sincerely~
FDU Software Engineering Lab
Feb 15th, 2019
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
