[ https://issues.apache.org/jira/browse/SOLR-16736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17708485#comment-17708485 ]
Kevin Risden commented on SOLR-16736: ------------------------------------- [~gus] so I understand the concern with big changes like these. Almost all of the changes are very simple replacements. commons-io and commons-lang3 (and others) came about in JDK 7 timeframe when lots of JDK features were not there. So this means we don't need commons-io or commons-lang3 as much anymore. Examples being StringUtils#split is the same as "".split(). This goes for a bunch of the other StringUtils replacements - just use the JDK methods. There are some helper methods (like isEmpty) which just handles the null case. For some of those I copied the very simple null check (str != null && str.isEmpty()) into StrUtils in Solr. For many of the other changes, there are JDK options today with Java streams. These in many cases avoid iterators and other things that weren't available in older JDK versions. Many of these were introduced in JDK 9+ and now that we are on JDK 11 we can take advantage of them. If you are curious about any of the individual replacements - look at the individual commits on https://github.com/apache/solr/pull/1498 where I went through case by case (I squash merged at the end to avoid a ton of commits, but the individual commits are still on the PR). Regarding bugs or other issues - I didn't convert a few cases that were harder (ie: StringUtils.containsIgnoresCase or LocaleUtils) I just moved those into helper classes to help with adding SuppressForbidden to them so we can keep using them. Most of these changes are so straightforward that IDEs were suggesting replacements as well in some cases. Regarding CVEs - I don't think any of these would be CVE worthy at least the conversions I made. They move to JDK functions which would get patched with the JDK itself. The main goal of doing this was to use newer JDK functions and avoid some of these older libraries from being included across the code base. In many cases the dependency was removed from build.gradle in different places to show that we aren't even using it anymore. Removing from the code base means we no longer need to keep the dependency up to date (if its fully removed), don't need to worry about incompatibilities if the library is upgraded, and overall just have fewer external dependencies when the JDK can be used. > Replace commons-lang3 usages with Java > -------------------------------------- > > Key: SOLR-16736 > URL: https://issues.apache.org/jira/browse/SOLR-16736 > Project: Solr > Issue Type: Task > Security Level: Public(Default Security Level. Issues are Public) > Reporter: Kevin Risden > Assignee: Kevin Risden > Priority: Minor > Fix For: main (10.0), 9.3 > > Time Spent: 20m > Remaining Estimate: 0h > > Done as separate commits: > * Remove `org.apache.commons.lang3.RandomStringUtils` > * Remove `StringUtils#join` > * Replace `StringUtils.leftPad` > * Replace `ArrayUtils#toPrimitive` > * Replace `StringUtils#repeat` > * Misc replacements (startsWith and isEmpty) > * Replace `StringUtils#split` > * Replace `ArrayUtils.toObject` > * Remove `org.apache.commons.lang3.SystemUtils` > * Remove `ArrayUtils.isEmpty` and `ArrayUtils.isNotEmpty` > * Replace `StringUtils#equals` > * Replace `StringUtils.isEmpty` and `StringUtils.isNotEmpty` > * Replace commons-lang3 builders (hashcode, equals) > * Remove `startsWith` / `endsWith` > * Replace `StringUtils.default*` > * Replace `NumberUtils.isCreatable` > * Replace `StringUtils.countMatches` > * Replace `ArrayUtils.add` > * Replace `StringUtils.contains` > * Migrate remaining usages to helper methods and forbid new usages of > commons-lang3 > This is NOT ready for review yet. This just works down the list of commons > lang3 usages and tries to replace them with JDK methods where possible. > These are remaining: > * `LocaleUtils` - is there a good replacement? JDK Locale Builder does not > work. Moved to LocaleUtils helper class > * `Object hostnameVerifier = FieldUtils.readField(sslSocketFactory, > "hostnameVerifier", true);` - moved to standalone method > * `StringUtils.containsIgnoresCase` - This should be replaceable. > * `FastDateFormat` used in HDFS tests > {code:java} > # git grep -F org.apache.commons.lang3 -- solr > solr/core/src/java/org/apache/solr/request/SubstringBytesRefFilter.java: > return org.apache.commons.lang3.StringUtils.containsIgnoreCase(str, > searchStr); > solr/core/src/java/org/apache/solr/util/LocaleUtils.java: return > org.apache.commons.lang3.LocaleUtils.toLocale(locale); > solr/modules/hdfs/src/test/org/apache/solr/hdfs/cloud/HdfsTestUtil.java: > org.apache.commons.lang3.time.FastDateFormat.getInstance().format(System.currentTimeMillis()); > solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpClientUtilTest.java: > return org.apache.commons.lang3.reflect.FieldUtils.readField( > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org