Kaifeng Huang created STORM-3338:
------------------------------------
Summary: Your project apache/storm is using buggy third-party
libraries [WARNING]
Key: STORM-3338
URL: https://issues.apache.org/jira/browse/STORM-3338
Project: Apache Storm
Issue Type: Bug
Reporter: Kaifeng Huang
Hi, there!
We are a research team working on third-party library analysis. We have
found that some widely-used third-party libraries in your project have
major/critical bugs, which will degrade the quality of your project. We highly
recommend you to update those libraries to new versions.
We have attached the buggy third-party libraries and corresponding jira
issue links below for you to have more detailed information.
1. commons-io commons-io
version: 2.6
Jira issues:
.gitattributes not correctly applied
affectsVersions:2.6
https://issues.apache.org/jira/projects/IO/issues/IO-516?filter=allopenissues
FilenameUtils.normalize should verify hostname syntax in UNC path
affectsVersions:2.6
https://issues.apache.org/jira/projects/IO/issues/IO-559?filter=allopenissues
Missing Javadoc in FilenameUtils causing Travis-CI build to fail
affectsVersions:2.6
https://issues.apache.org/jira/projects/IO/issues/IO-570?filter=allopenissues
2. commons-codec commons-codec
version: 1.11
Jira issues:
InputStream not closed
affectsVersions:1.10,1.11
https://issues.apache.org/jira/projects/CODEC/issues/CODEC-225?filter=allopenissues
3. org.apache.logging.log4j log4j-core
version: 2.11.1
Jira issues:
NameAbbreviator skips first fragments
affectsVersions:2.11.0,2.11.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2365?filter=allopenissues
Predeployment of PersistenceUnit that using Log4j as session logger
failed (#198)
affectsVersions:2.11.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2397?filter=allopenissues
Exceptions are added to all columns when a JDBC Appender's
ColumnMapping uses a Pattern
affectsVersions:2.11.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2413?filter=allopenissues
NullPointerException when closing never used
RollingRandomAccessFileAppender
affectsVersions:2.10.0,2.11.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2418?filter=allopenissues
AbstractAppender.setHandler(null) should not set a null ErrorHandler
affectsVersions:3.0.0,2.11.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2441?filter=allopenissues
ErrorHandler should be invoked with the failing LogEvent when possible
affectsVersions:3.0.0,2.11.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2444?filter=allopenissues
RollingRandomAccessFileManager ignores new file patterns from
programmatic reconfiguration
affectsVersions:2.11.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2457?filter=allopenissues
ColumnMapping literal not working
affectsVersions:2.11.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2466?filter=allopenissues
org.apache.log4j.SimpleLayout and ConsoleAppender missing in
log4j-1.2-api
affectsVersions:2.11.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2476?filter=allopenissues
BasicContextSelector cannot be used in a OSGI application
affectsVersions:2.11.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2482?filter=allopenissues
4. org.apache.httpcomponents httpclient
version: 4.5.6
Jira issues:
Support relatively new HTTP 308 redirect - RFC7538
affectsVersions:3.1 (end of life),4.5.6
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1946?filter=allopenissues
5. org.apache.httpcomponents httpclient
version: 4.5
Jira issues:
NTLM auth failed because NTLMEngineImpl strip domain to base domain name
affectsVersions:4.5
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1662?filter=allopenissues
RequestBuilder ignores Charset
affectsVersions:4.5
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1667?filter=allopenissues
connectTimeout used as socketTimeout in Request
affectsVersions:4.5
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1668?filter=allopenissues
org.apache.http.entity.mime.content is missing from exports of OSGi
bundle
affectsVersions:4.5
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1673?filter=allopenissues
307 redirect throws ClientProtocolException using POST method
affectsVersions:4.5
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1680?filter=allopenissues
ZipException occurs when content-encoding-header is set for
304-response
affectsVersions:4.5
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1690?filter=allopenissues
OSGiRoutePlanner examines only the first proxy exception and also
crashes processing IP address exception
affectsVersions:4.4.1;4.5;5.0
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1710?filter=allopenissues
org.apache.http.impl.client.AbstractHttpClient#createClientConnectionManager
Does not account for context class loader
affectsVersions:4.4.1;4.5;4.5.1;4.5.2
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1727?filter=allopenissues
PoolingHttpClientConnectionManager has no option to close long leased
connections
affectsVersions:4.4.1;4.5
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1760?filter=allopenissues
6. org.apache.httpcomponents httpclient
version: 4.5.2
Jira issues:
org.apache.http.impl.client.AbstractHttpClient#createClientConnectionManager
Does not account for context class loader
affectsVersions:4.4.1;4.5;4.5.1;4.5.2
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1727?filter=allopenissues
Memory Leak in OSGi support
affectsVersions:4.4.1;4.5.2
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1749?filter=allopenissues
SystemDefaultRoutePlanner: Possible null pointer dereference
affectsVersions:4.5.2
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1766?filter=allopenissues
Null pointer dereference in EofSensorInputStream and ResponseEntityProxy
affectsVersions:4.5.2
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1767?filter=allopenissues
[OSGi] WeakList needs to support "clear" method
affectsVersions:4.5.2;5.0 Alpha1
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1772?filter=allopenissues
[OSGi] HttpProxyConfigurationActivator does not unregister
HttpClientBuilderFactory
affectsVersions:4.5.2
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1773?filter=allopenissues
Why is Retry around Redirect and not the other way round
affectsVersions:4.5.2
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1800?filter=allopenissues
7. commons-cli commons-cli
version: 1.2
Jira issues:
Unable to select a pure long option in a group
affectsVersions:1.0;1.1;1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-182?filter=allopenissues
Clear the selection from the groups before parsing
affectsVersions:1.0;1.1;1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-183?filter=allopenissues
Commons CLI incorrectly stripping leading and trailing quotes
affectsVersions:1.1;1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-185?filter=allopenissues
Coding error: OptionGroup.setSelected causes
java.lang.NullPointerException
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-191?filter=allopenissues
StringIndexOutOfBoundsException in HelpFormatter.findWrapPos
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-193?filter=allopenissues
HelpFormatter strips leading whitespaces in the footer
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-207?filter=allopenissues
OptionBuilder only has static methods; yet many return an OptionBuilder
instance
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-224?filter=allopenissues
Unable to properly require options
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-230?filter=allopenissues
OptionValidator Implementation Does Not Agree With JavaDoc
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-241?filter=allopenissues
8. commons-collections commons-collections
version: 3.2.1
Jira issues:
Inconsistent Javadoc comment and code in addIgnoreNull(Collection<T>;
T) in org.apache.commons.collections.CollectionUtils
affectsVersions:3.2.1
https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-400?filter=allopenissues
ListUtils.subtract is very slow
affectsVersions:3.2.1
https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-406?filter=allopenissues
ListOrderedSet.removeAll() is slow
affectsVersions:3.2.1
https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-407?filter=allopenissues
ListOrderedSet.addAll() is very slow
affectsVersions:3.2.1
https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-409?filter=allopenissues
Performance problem in DualHashBidiMap
affectsVersions:3.2.1
https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-413?filter=allopenissues
AbstractLinkedList.removeAll() is very slow
affectsVersions:3.2.1
https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-415?filter=allopenissues
AbstractLinkedList.retainAll() is very slow
affectsVersions:3.2.1
https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-417?filter=allopenissues
Surprising exception by CompositeSet in a situation where
CompositeCollection works fine
affectsVersions:3.2.1
https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-424?filter=allopenissues
performance problem in ListOrderedMap.remove()
affectsVersions:3.2.1
https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-425?filter=allopenissues
performance problem in ListOrderedSet.retainAll()
affectsVersions:3.2.1
https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-426?filter=allopenissues
performance problem in SetUniqueList.retainAll()
affectsVersions:3.2.1
https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-427?filter=allopenissues
SetUniqueList may become inconsistent
affectsVersions:3.2.1
https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-444?filter=allopenissues
findBugs Warnings: several classes in package functors may expose their
internal representation
affectsVersions:3.2.1
https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-453?filter=allopenissues
findBugs Warning: Flat3Map - 3 iterators which are "both an Iterator
and a Map.Entry"
affectsVersions:3.2.1
https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-454?filter=allopenissues
wasted work in AbstractMapBag.containsAll()
affectsVersions:3.2.1
https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-472?filter=allopenissues
ListOrderedSet can have duplicates
affectsVersions:3.2.1;4.0
https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-524?filter=allopenissues
ExtendedProperties causes AccessControlException when framework is
called from a script
affectsVersions:3.2.1
https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-538?filter=allopenissues
9. commons-io commons-io
version: 1.4
Jira issues:
FileCleaningTrackerTestCase hangs
affectsVersions:1.4
https://issues.apache.org/jira/projects/IO/issues/IO-161?filter=allopenissues
Fix case-insensitive string handling
affectsVersions:1.4
https://issues.apache.org/jira/projects/IO/issues/IO-167?filter=allopenissues
Symbolic links (symlinks) followed when deleting directory.
affectsVersions:1.4
https://issues.apache.org/jira/projects/IO/issues/IO-168?filter=allopenissues
StringIndexOutOfBounds exception on FilenameUtils.getPathNoEndSeparator
affectsVersions:1.3.2;1.4
https://issues.apache.org/jira/projects/IO/issues/IO-179?filter=allopenissues
FileSystemUtils.freeSpaceWindows blocks
affectsVersions:1.4
https://issues.apache.org/jira/projects/IO/issues/IO-185?filter=allopenissues
FileSystemUtils.freeSpaceKb doesn't work with relative paths on Linux
affectsVersions:1.2;1.3;1.3.1;1.3.2;1.4
https://issues.apache.org/jira/projects/IO/issues/IO-187?filter=allopenissues
CountingInputStream/CountingOutputStream only partially synchronized
affectsVersions:1.4
https://issues.apache.org/jira/projects/IO/issues/IO-201?filter=allopenissues
NotFileFilter documentation is incorrect
affectsVersions:1.4
https://issues.apache.org/jira/projects/IO/issues/IO-202?filter=allopenissues
Manifest for OSGi has invalid syntax
affectsVersions:1.4
https://issues.apache.org/jira/projects/IO/issues/IO-204?filter=allopenissues
FileSystemUtils.freeSpaceKb fails to return correct size for a windows
mount point
affectsVersions:1.4;2.0;3.x
https://issues.apache.org/jira/projects/IO/issues/IO-209?filter=allopenissues
Delete files quietly when an exception is thrown during initialization
affectsVersions:1.4
https://issues.apache.org/jira/projects/IO/issues/IO-216?filter=allopenissues
FileUtils.copyDirectoryToDirectory makes infinite loops
affectsVersions:1.4
https://issues.apache.org/jira/projects/IO/issues/IO-217?filter=allopenissues
FileCleaningTracker Vector performs badly under load
affectsVersions:1.0;1.1;1.2;1.3;1.3.1;1.3.2;1.4;2.0;3.x
https://issues.apache.org/jira/projects/IO/issues/IO-220?filter=allopenissues
IOUtils.copy Javadoc inconsistency (return -1 vs. throw
ArithmeticException)
affectsVersions:1.3;1.3.1;1.3.2;1.4
https://issues.apache.org/jira/projects/IO/issues/IO-223?filter=allopenissues
FileUtils generate wrong exception message in isFileNewer method
affectsVersions:1.4
https://issues.apache.org/jira/projects/IO/issues/IO-231?filter=allopenissues
10. commons-io commons-io
version: 2.5
Jira issues:
ant test fails - resources missing from test classpath
affectsVersions:2.5
https://issues.apache.org/jira/projects/IO/issues/IO-451?filter=allopenissues
Exceptions are suppressed incorrectly when copying files.
affectsVersions:2.4;2.5
https://issues.apache.org/jira/projects/IO/issues/IO-502?filter=allopenissues
ThresholdingOutputStream.thresholdReached() results in
FileNotFoundException
affectsVersions:2.5
https://issues.apache.org/jira/projects/IO/issues/IO-512?filter=allopenissues
Tailer.run race condition runaway logging
affectsVersions:2.5
https://issues.apache.org/jira/projects/IO/issues/IO-528?filter=allopenissues
Thread bug in FileAlterationMonitor#stop(int)
affectsVersions:2.5
https://issues.apache.org/jira/projects/IO/issues/IO-535?filter=allopenissues
2.5 ExceptionInInitializerError
affectsVersions:2.5
https://issues.apache.org/jira/projects/IO/issues/IO-536?filter=allopenissues
11. commons-codec commons-codec
version: 1.3
Jira issues:
[codec] Using US_ENGLISH static in Soundex causes NPE
affectsVersions:1.3
https://issues.apache.org/jira/projects/CODEC/issues/CODEC-10?filter=allopenissues
org.apache.commons.codec.net.URLCodec.ESCAPE_CHAR isn't final but
should be
affectsVersions:1.2;1.3;1.4
https://issues.apache.org/jira/projects/CODEC/issues/CODEC-111?filter=allopenissues
[codec] Base64.isArrayByteBase64() throws an
ArrayIndexOutOfBoundsException for negative octets.
affectsVersions:1.3
https://issues.apache.org/jira/projects/CODEC/issues/CODEC-22?filter=allopenissues
[codec] Source tarball spews files all over the place
affectsVersions:1.3
https://issues.apache.org/jira/projects/CODEC/issues/CODEC-6?filter=allopenissues
Base64.encodeBase64() throws NegativeArraySizeException on large files
affectsVersions:1.3
https://issues.apache.org/jira/projects/CODEC/issues/CODEC-61?filter=allopenissues
Fix case-insensitive string handling
affectsVersions:1.3
https://issues.apache.org/jira/projects/CODEC/issues/CODEC-65?filter=allopenissues
Make string2byte conversions indepedent of platform default encoding
affectsVersions:1.3
https://issues.apache.org/jira/projects/CODEC/issues/CODEC-73?filter=allopenissues
All links to fixed bugs in the "Changes Report"
http://commons.apache.org/codec/changes-report.html point nowhere; e.g.
http://issues.apache.org/jira/browse/34157. Looks as if all JIRA tickets were
renumbered.
affectsVersions:1.1;1.2;1.3;1.4
https://issues.apache.org/jira/projects/CODEC/issues/CODEC-76?filter=allopenissues
12. org.slf4j slf4j-api
version: 1.7.21
Jira issues:
Cannot re-initialize the SimpleLogger anymore.
affectsVersions:1.7.21
https://jira.qos.ch/projects/SLF4J/issues/SLF4J-370?filter=allopenissues
Marker lost in EventRecodingLogger
affectsVersions:1.7.21
https://jira.qos.ch/projects/SLF4J/issues/SLF4J-379?filter=allopenissues
Support for JCL 1.2
affectsVersions:1.7.21
https://jira.qos.ch/projects/SLF4J/issues/SLF4J-383?filter=allopenissues
13. commons-lang commons-lang
version: 2.6
Jira issues:
Remove unnecessary synchronization from registry lookup in
EqualsBuilder and HashCodeBuilder
affectsVersions:2.6
https://issues.apache.org/jira/projects/LANG/issues/LANG-1230?filter=allopenissues
LocaleUtils - DCL idiom is not thread-safe
affectsVersions:2.6
https://issues.apache.org/jira/projects/LANG/issues/LANG-803?filter=allopenissues
Exception when combining custom and choice format in
ExtendedMessageFormat
affectsVersions:2.5;2.6
https://issues.apache.org/jira/projects/LANG/issues/LANG-917?filter=allopenissues
14. org.apache.commons commons-lang3
version: 3.3
Jira issues:
SerializationUtils.ClassLoaderAwareObjectInputStream should use static
initializer to initialize primitiveTypes map.
affectsVersions:3.2;3.3;3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1251?filter=allopenissues
Failing tests with Java 8 b128
affectsVersions:3.3
https://issues.apache.org/jira/projects/LANG/issues/LANG-978?filter=allopenissues
NumberUtils#createNumber() returns positive BigDecimal when negative
Float is expected
affectsVersions:3.x
https://issues.apache.org/jira/projects/LANG/issues/LANG-1087?filter=allopenissues
15. commons-lang commons-lang
version: 2.5
Jira issues:
Testing with JDK 1.7
affectsVersions:2.5
https://issues.apache.org/jira/projects/LANG/issues/LANG-593?filter=allopenissues
Some StringUtils methods should take an int character instead of char
to use String API features.
affectsVersions:2.5
https://issues.apache.org/jira/projects/LANG/issues/LANG-608?filter=allopenissues
SystemUtils.getJavaVersionAsFloat throws
StringIndexOutOfBoundsException on Android runtime/Dalvik VM
affectsVersions:2.5
https://issues.apache.org/jira/projects/LANG/issues/LANG-624?filter=allopenissues
NumberUtils createNumber throws a StringIndexOutOfBoundsException when
argument containing "e" and "E" is passed in
affectsVersions:2.5
https://issues.apache.org/jira/projects/LANG/issues/LANG-638?filter=allopenissues
FastDateFormat.format() outputs incorrect week of year because locale
isn't respected
affectsVersions:2.5
https://issues.apache.org/jira/projects/LANG/issues/LANG-645?filter=allopenissues
Exception when combining custom and choice format in
ExtendedMessageFormat
affectsVersions:2.5;2.6
https://issues.apache.org/jira/projects/LANG/issues/LANG-917?filter=allopenissues
Sincerely~
FDU Software Engineering Lab
Feb 15th,2019
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
