Patrick Hunt created ZOOKEEPER-2360:
---------------------------------------
Summary: Update commons collections version used tests/releaseaudit
Key: ZOOKEEPER-2360
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2360
Project: ZooKeeper
Issue Type: Bug
Components: build
Affects Versions: 3.5.1, 3.4.7
Reporter: Patrick Hunt
Assignee: Patrick Hunt
Priority: Blocker
Fix For: 3.4.8, 3.5.2
I don't believe this affects us from a security perspective directly, however
it's something we should clean up in our next release.
Afaict the only commons we use for shipping/production code is commons-cli. Our
two release branches, 3.4 and 3.5, neither of them use commons-collections. I
looked at the binary release artifact and it doesn't include the commons
collections jar.
We do have a test that uses CollectionsUtils, but no shipping code. I
downloaded our 3.4 and 3.5 artifacts, this is all I see:
phunt:~/Downloads/zd/5/zookeeper-3.5.1-alpha$ grep -R
"org.apache.commons.collections" .
./src/java/test/org/apache/zookeeper/RemoveWatchesTest.java:import
org.apache.commons.collections.CollectionUtils;
phunt:~/Downloads/zd/5/zookeeper-3.5.1-alpha$
Also in our ivy file we have
<dependency org="org.apache.rat" name="apache-rat-tasks"
rev="0.10" conf="releaseaudit->default"/>
<dependency org="commons-lang" name="commons-lang"
rev="2.6" conf="releaseaudit->default"/>
<dependency org="commons-collections" name="commons-collections"
rev="3.2.1" conf="releaseaudit->default"/>
So commons-collections is pulled in - but only for the release audit, which is
something we do as a build verification activity but not part of the product
itself.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
