[ 
https://issues.apache.org/jira/browse/DRILL-8267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17569285#comment-17569285
 ] 

ASF GitHub Bot commented on DRILL-8267:
---------------------------------------

vdiravka commented on code in PR #2609:
URL: https://github.com/apache/drill/pull/2609#discussion_r926320649


##########
pom.xml:
##########
@@ -1984,17 +1983,6 @@
         <artifactId>xercesImpl</artifactId>
         <version>${xerces.version}</version>
       </dependency>
-      <dependency>

Review Comment:
   This management is for two purposes:
   1. Per commit DRILL-7713 I understand the dependency was added to remove 
vulnerability from the transitive dependencies.
   2. To avoid using `commons-logging` as dependency. 
https://github.com/apache/commons-configuration/blob/master/pom.xml#L301
   
   In case we are sure `commons-configuration` dependency is 
[1.10](https://github.com/apache/phoenix-omid/blob/ba43c8e1d73543fafa102c57af79516c4dc88860/pom.xml#L175)
 or newer version in Drill after removing this management and `commons-logging` 
is not used (successful mvn build is enough for this, because 
[commons-logging](https://github.com/apache/drill/blob/master/pom.xml#L663) is 
banned in Drill), we can remove this management.
   The other question do we really need it?! It is possible in future the new 
dependency will have `commons-configuration` as a transitive dependency and we 
will face with the same issues, but now they are solved.





> Remove commons-configuration dependency management
> --------------------------------------------------
>
>                 Key: DRILL-8267
>                 URL: https://issues.apache.org/jira/browse/DRILL-8267
>             Project: Apache Drill
>          Issue Type: Improvement
>            Reporter: PJ Fanning
>            Priority: Major
>
> https://mvnrepository.com/artifact/commons-configuration/commons-configuration/1.10
> This jar is EOL and has many very insecure dependencies.
> Looks like this dependency is not used by Drill or any of its dependencies. 
> Hadoop uses commons-configuration2 instead.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to