[
https://issues.apache.org/jira/browse/SOLR-16736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17708485#comment-17708485
]
Kevin Risden commented on SOLR-16736:
-------------------------------------
[~gus] so I understand the concern with big changes like these. Almost all of
the changes are very simple replacements. commons-io and commons-lang3 (and
others) came about in JDK 7 timeframe when lots of JDK features were not there.
So this means we don't need commons-io or commons-lang3 as much anymore.
Examples being StringUtils#split is the same as "".split(). This goes for a
bunch of the other StringUtils replacements - just use the JDK methods. There
are some helper methods (like isEmpty) which just handles the null case. For
some of those I copied the very simple null check (str != null &&
str.isEmpty()) into StrUtils in Solr.
For many of the other changes, there are JDK options today with Java streams.
These in many cases avoid iterators and other things that weren't available in
older JDK versions. Many of these were introduced in JDK 9+ and now that we are
on JDK 11 we can take advantage of them.
If you are curious about any of the individual replacements - look at the
individual commits on https://github.com/apache/solr/pull/1498 where I went
through case by case (I squash merged at the end to avoid a ton of commits, but
the individual commits are still on the PR).
Regarding bugs or other issues - I didn't convert a few cases that were harder
(ie: StringUtils.containsIgnoresCase or LocaleUtils) I just moved those into
helper classes to help with adding SuppressForbidden to them so we can keep
using them. Most of these changes are so straightforward that IDEs were
suggesting replacements as well in some cases.
Regarding CVEs - I don't think any of these would be CVE worthy at least the
conversions I made. They move to JDK functions which would get patched with the
JDK itself.
The main goal of doing this was to use newer JDK functions and avoid some of
these older libraries from being included across the code base. In many cases
the dependency was removed from build.gradle in different places to show that
we aren't even using it anymore. Removing from the code base means we no longer
need to keep the dependency up to date (if its fully removed), don't need to
worry about incompatibilities if the library is upgraded, and overall just have
fewer external dependencies when the JDK can be used.
> Replace commons-lang3 usages with Java
> --------------------------------------
>
> Key: SOLR-16736
> URL: https://issues.apache.org/jira/browse/SOLR-16736
> Project: Solr
> Issue Type: Task
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Kevin Risden
> Assignee: Kevin Risden
> Priority: Minor
> Fix For: main (10.0), 9.3
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Done as separate commits:
> * Remove `org.apache.commons.lang3.RandomStringUtils`
> * Remove `StringUtils#join`
> * Replace `StringUtils.leftPad`
> * Replace `ArrayUtils#toPrimitive`
> * Replace `StringUtils#repeat`
> * Misc replacements (startsWith and isEmpty)
> * Replace `StringUtils#split`
> * Replace `ArrayUtils.toObject`
> * Remove `org.apache.commons.lang3.SystemUtils`
> * Remove `ArrayUtils.isEmpty` and `ArrayUtils.isNotEmpty`
> * Replace `StringUtils#equals`
> * Replace `StringUtils.isEmpty` and `StringUtils.isNotEmpty`
> * Replace commons-lang3 builders (hashcode, equals)
> * Remove `startsWith` / `endsWith`
> * Replace `StringUtils.default*`
> * Replace `NumberUtils.isCreatable`
> * Replace `StringUtils.countMatches`
> * Replace `ArrayUtils.add`
> * Replace `StringUtils.contains`
> * Migrate remaining usages to helper methods and forbid new usages of
> commons-lang3
> This is NOT ready for review yet. This just works down the list of commons
> lang3 usages and tries to replace them with JDK methods where possible.
> These are remaining:
> * `LocaleUtils` - is there a good replacement? JDK Locale Builder does not
> work. Moved to LocaleUtils helper class
> * `Object hostnameVerifier = FieldUtils.readField(sslSocketFactory,
> "hostnameVerifier", true);` - moved to standalone method
> * `StringUtils.containsIgnoresCase` - This should be replaceable.
> * `FastDateFormat` used in HDFS tests
> {code:java}
> # git grep -F org.apache.commons.lang3 -- solr
> solr/core/src/java/org/apache/solr/request/SubstringBytesRefFilter.java:
> return org.apache.commons.lang3.StringUtils.containsIgnoreCase(str,
> searchStr);
> solr/core/src/java/org/apache/solr/util/LocaleUtils.java: return
> org.apache.commons.lang3.LocaleUtils.toLocale(locale);
> solr/modules/hdfs/src/test/org/apache/solr/hdfs/cloud/HdfsTestUtil.java:
> org.apache.commons.lang3.time.FastDateFormat.getInstance().format(System.currentTimeMillis());
> solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpClientUtilTest.java:
> return org.apache.commons.lang3.reflect.FieldUtils.readField(
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
