[
https://issues.apache.org/jira/browse/HIVE-21273?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16942159#comment-16942159
]
David Lavati commented on HIVE-21273:
-------------------------------------
{color:#172b4d}Thank you for the feedback! This was on my radar for a while,
but finally got around to check it. I'm just gonna mention the related
HADOOP-16113 you opened in the same fashion, as in a number of places this
project's dependendent on it. Here are my findings with apache/hive HEAD being
at 33ccc9bef:{color}
* {color:#172b4d}httpcomponents httpclient: DONE{color}
** {color:#172b4d}reviewed version: 4.5.2{color}
** {color:#172b4d}current version: 4.5.6 HIVE-21306
[https://github.com/apache/hive/commit/11b8c2ce7a544df2147485318e3f15adc203214a]{color}
* {color:#172b4d}commons-cli: TODO, critical?{color}
** {color:#172b4d}reviewed version: 1.2{color}
** {color:#172b4d}this seems to be depending on Hadoop{color}
* {color:#172b4d}commons-io: WIP{color}
** {color:#172b4d}reviewed version: 2.4{color}
** {color:#172b4d}feasable upgrade to: 2.6, see HIVE-22270 (hadoop is at 2.5
by HADOOP-15261 in 3.1, so this is probably not bound by it){color}
* {color:#172b4d}log4j2: WIP{color}
** {color:#172b4d}reviewed version: 2.10.0{color}
** {color:#172b4d}feasable upgrade to 2.12.1, see HIVE-22278{color}
* {color:#172b4d}commons-lang3: DONE for both counted cases
{color}
** {color:#172b4d}reviewed version: 3.3.2{color}
** {color:#172b4d}current version: 3.9 HIVE-22132
[https://github.com/apache/hive/commit/41770e9ce19a4730b2f96545f7e6d697f2354be8]{color}
* {color:#172b4d}commons-lang: WIP{color}
** {color:#172b4d}version: 2.6{color}
** {color:#172b4d}looks feasable, see HIVE-7145{color}
> Your project apache/hive is using buggy third-party libraries [WARNING]
> -----------------------------------------------------------------------
>
> Key: HIVE-21273
> URL: https://issues.apache.org/jira/browse/HIVE-21273
> Project: Hive
> Issue Type: Bug
> Reporter: Kaifeng Huang
> Priority: Major
>
> Hi, there!
> We are a research team working on third-party library analysis. We have
> found that some widely-used third-party libraries in your project have
> major/critical bugs, which will degrade the quality of your project. We
> highly recommend you to update those libraries to new versions.
> We have attached the buggy third-party libraries and corresponding jira
> issue links below for you to have more detailed information.
> 1. org.apache.httpcomponents httpclient(pom.xml)
> version: 4.5.2
> Jira issues:
>
> org.apache.http.impl.client.AbstractHttpClient#createClientConnectionManager
> Does not account for context class loader
> affectsVersions:4.4.1;4.5;4.5.1;4.5.2
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1727?filter=allopenissues
> Memory Leak in OSGi support
> affectsVersions:4.4.1;4.5.2
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1749?filter=allopenissues
> SystemDefaultRoutePlanner: Possible null pointer dereference
> affectsVersions:4.5.2
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1766?filter=allopenissues
> Null pointer dereference in EofSensorInputStream and ResponseEntityProxy
> affectsVersions:4.5.2
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1767?filter=allopenissues
> [OSGi] WeakList needs to support "clear" method
> affectsVersions:4.5.2;5.0 Alpha1
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1772?filter=allopenissues
> [OSGi] HttpProxyConfigurationActivator does not unregister
> HttpClientBuilderFactory
> affectsVersions:4.5.2
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1773?filter=allopenissues
> Why is Retry around Redirect and not the other way round
> affectsVersions:4.5.2
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1800?filter=allopenissues
> 2. commons-cli
> commons-cli(pom.xml,testutils/ptest2/pom.xml,upgrade-acid/pre-upgrade/pom.xml)
> version: 1.2
> Jira issues:
> Unable to select a pure long option in a group
> affectsVersions:1.0;1.1;1.2
>
> https://issues.apache.org/jira/projects/CLI/issues/CLI-182?filter=allopenissues
> Clear the selection from the groups before parsing
> affectsVersions:1.0;1.1;1.2
>
> https://issues.apache.org/jira/projects/CLI/issues/CLI-183?filter=allopenissues
> Commons CLI incorrectly stripping leading and trailing quotes
> affectsVersions:1.1;1.2
>
> https://issues.apache.org/jira/projects/CLI/issues/CLI-185?filter=allopenissues
> Coding error: OptionGroup.setSelected causes
> java.lang.NullPointerException
> affectsVersions:1.2
>
> https://issues.apache.org/jira/projects/CLI/issues/CLI-191?filter=allopenissues
> StringIndexOutOfBoundsException in HelpFormatter.findWrapPos
> affectsVersions:1.2
>
> https://issues.apache.org/jira/projects/CLI/issues/CLI-193?filter=allopenissues
> HelpFormatter strips leading whitespaces in the footer
> affectsVersions:1.2
>
> https://issues.apache.org/jira/projects/CLI/issues/CLI-207?filter=allopenissues
> OptionBuilder only has static methods; yet many return an OptionBuilder
> instance
> affectsVersions:1.2
>
> https://issues.apache.org/jira/projects/CLI/issues/CLI-224?filter=allopenissues
> Unable to properly require options
> affectsVersions:1.2
>
> https://issues.apache.org/jira/projects/CLI/issues/CLI-230?filter=allopenissues
> OptionValidator Implementation Does Not Agree With JavaDoc
> affectsVersions:1.2
>
> https://issues.apache.org/jira/projects/CLI/issues/CLI-241?filter=allopenissues
> 3. commons-io commons-io(pom.xml)
> version: 2.4
> Jira issues:
> IOUtils copyLarge() and skip() methods are performance hogs
> affectsVersions:2.3;2.4
>
> https://issues.apache.org/jira/projects/IO/issues/IO-355?filter=allopenissues
> CharSequenceInputStream#reset() behaves incorrectly in case when buffer
> size is not dividable by data size
> affectsVersions:2.4
>
> https://issues.apache.org/jira/projects/IO/issues/IO-356?filter=allopenissues
> [Tailer] InterruptedException while the thead is sleeping is silently
> ignored
> affectsVersions:2.4
>
> https://issues.apache.org/jira/projects/IO/issues/IO-357?filter=allopenissues
> IOUtils.contentEquals* methods returns false if input1 == input2;
> should return true
> affectsVersions:2.4
>
> https://issues.apache.org/jira/projects/IO/issues/IO-362?filter=allopenissues
> Apache Commons - standard links for documents are failing
> affectsVersions:2.4
>
> https://issues.apache.org/jira/projects/IO/issues/IO-369?filter=allopenissues
> FileUtils.sizeOfDirectoryAsBigInteger can overflow
> affectsVersions:2.4
>
> https://issues.apache.org/jira/projects/IO/issues/IO-390?filter=allopenissues
> Regression in FileUtils.readFileToString from 2.0.1
> affectsVersions:2.1;2.2;2.3;2.4
>
> https://issues.apache.org/jira/projects/IO/issues/IO-453?filter=allopenissues
> Correct exception message in FileUtils.getFile(File; String...)
> affectsVersions:2.4
>
> https://issues.apache.org/jira/projects/IO/issues/IO-479?filter=allopenissues
> org.apache.commons.io.FileUtils#waitFor waits too long
> affectsVersions:2.4
>
> https://issues.apache.org/jira/projects/IO/issues/IO-481?filter=allopenissues
> FilenameUtils should handle embedded null bytes
> affectsVersions:2.4
>
> https://issues.apache.org/jira/projects/IO/issues/IO-484?filter=allopenissues
> Exceptions are suppressed incorrectly when copying files.
> affectsVersions:2.4;2.5
>
> https://issues.apache.org/jira/projects/IO/issues/IO-502?filter=allopenissues
> 4. org.apache.logging.log4j log4j-core(pom.xml)
> version: 2.10.0
> Jira issues:
> Curly braces in parameters are treated as placeholders
> affectsVersions:2.8.2;2.9.0;2.10.0
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2032?filter=allopenissues
> Remove Log4J API dependency on Management APIs
> affectsVersions:2.9.1;2.10.0
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2126?filter=allopenissues
> Log4j2 throws NoClassDefFoundError in Java 9
> affectsVersions:2.10.0;2.11.0
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2129?filter=allopenissues
> ThreadContext map is cleared => entries are only available for one log
> event
> affectsVersions:2.10.0
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2158?filter=allopenissues
> Objects held in SortedArrayStringMap cannot be filtered during
> serialization
> affectsVersions:2.10.0
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2163?filter=allopenissues
> NullPointerException at
> org.apache.logging.log4j.util.Activator.loadProvider(Activator.java:81) in
> log4j 2.10.0
> affectsVersions:2.10.0
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2182?filter=allopenissues
> MarkerFilter onMismatch invalid attribute in .properties
> affectsVersions:2.10.0
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2202?filter=allopenissues
> Configuration builder classes should look for "onMismatch"; not
> "onMisMatch".
>
> affectsVersions:2.4;2.4.1;2.5;2.6;2.6.1;2.6.2;2.7;2.8;2.8.1;2.8.2;2.9.0;2.10.0
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2219?filter=allopenissues
> Empty Automatic-Module-Name Header
> affectsVersions:2.10.0;2.11.0;3.0.0
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2254?filter=allopenissues
> ConcurrentModificationException from
> org.apache.logging.log4j.status.StatusLogger.<clinit>(StatusLogger.java:71)
> affectsVersions:2.10.0
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2276?filter=allopenissues
> Allow SystemPropertiesPropertySource to run with a SecurityManager that
> rejects system property access
> affectsVersions:2.10.0
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2279?filter=allopenissues
> ParserConfigurationException when using Log4j with
> oracle.xml.jaxp.JXDocumentBuilderFactory
> affectsVersions:2.10.0
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2283?filter=allopenissues
> Log4j 2.10+not working with SLF4J 1.8 in OSGI environment
> affectsVersions:2.10.0;2.11.0
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2305?filter=allopenissues
> fix the CacheEntry map in ThrowableProxy#toExtendedStackTrace to be put
> and gotten with same key
> affectsVersions:2.6.2;2.7;2.8;2.8.1;2.8.2;2.9.0;2.9.1;2.10.0;2.11.0
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2389?filter=allopenissues
> NullPointerException when closing never used
> RollingRandomAccessFileAppender
> affectsVersions:2.10.0;2.11.1
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2418?filter=allopenissues
> 5. org.apache.commons commons-lang3(hcatalog/streaming/pom.xml)
> version: 3.3.2
> Jira issues:
> ISO 8601 misspelled throughout the Javadocs
> affectsVersions:3.3.2
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-1001?filter=allopenissues
> Several predefined ISO FastDateFormats in DateFormatUtils are incorrect
> affectsVersions:3.3.2
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-1002?filter=allopenissues
> DurationFormatUtils are not able to handle negative durations/periods
> affectsVersions:3.3.2
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-1003?filter=allopenissues
> DurationFormatUtils#formatDurationHMS implementation does not
> correspond to Javadoc and vice versa
> affectsVersions:3.3.2
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-1004?filter=allopenissues
> NumberUtils.createNumber(final String str) Precision will be lost
> affectsVersions:3.3.2
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-1018?filter=allopenissues
> Javadoc for EqualsBuilder.reflectionEquals() is unclear
> affectsVersions:3.3.2
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-1035?filter=allopenissues
> NumberUtils#isNumber() returns false for "+2" and true for "-2"
> affectsVersions:3.1;3.3.2
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-1038?filter=allopenissues
> Javadoc for NumberUtils.isNumber() are not clear enough
> affectsVersions:3.3.2
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-1040?filter=allopenissues
> Fix MethodUtilsTest so it does not depend on JDK method ordering
> affectsVersions:3.3.2
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-1041?filter=allopenissues
> StrSubstitutor.replaceSystemProperties does not work consistently
> affectsVersions:3.3.2
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-1055?filter=allopenissues
> NumberUtils.isNumber assumes number starting with Zero is octal
> affectsVersions:3.3.2
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-1060?filter=allopenissues
> FastDateParser error - timezones not handled correctly
> affectsVersions:3.3.2
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-1061?filter=allopenissues
> Wrong formating of time zones with daylight saving time in
> FastDatePrinter
> affectsVersions:3.3.2
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-1092?filter=allopenissues
> TypeUtils.ParameterizedType#equals doesn't work with wildcard types
> affectsVersions:3.3.2;3.4
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-1114?filter=allopenissues
> Fix bug with stripping spaces on last line in WordUtils.wrap()
> affectsVersions:3.3.2
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-995?filter=allopenissues
> FastDateFormat is case sensitive
> affectsVersions:3.3.2
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-996?filter=allopenissues
> NumberUtils#createNumber() returns positive BigDecimal when negative
> Float is expected
> affectsVersions:3.x
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-1087?filter=allopenissues
> 6. commons-lang commons-lang(storage-api/pom.xml,pom.xml)
> version: 2.6
> Jira issues:
> Remove unnecessary synchronization from registry lookup in
> EqualsBuilder and HashCodeBuilder
> affectsVersions:2.6
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-1230?filter=allopenissues
> LocaleUtils - DCL idiom is not thread-safe
> affectsVersions:2.6
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-803?filter=allopenissues
> Exception when combining custom and choice format in
> ExtendedMessageFormat
> affectsVersions:2.5;2.6
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-917?filter=allopenissues
> 7. org.apache.commons
> commons-lang3(standalone-metastore/pom.xml,pom.xml)
> version: 3.2
> Jira issues:
> SerializationUtils.ClassLoaderAwareObjectInputStream should use static
> initializer to initialize primitiveTypes map.
> affectsVersions:3.2;3.3;3.4
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-1251?filter=allopenissues
> Build fails with test failures when building with JDK 8
> affectsVersions:3.2
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-938?filter=allopenissues
> Test DurationFormatUtilsTest.testEdgeDuration fails in JDK 1.6; 1.7 and
> 1.8; BRST time zone
> affectsVersions:3.1;3.2;3.2.1
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-943?filter=allopenissues
> Exception while using ExtendedMessageFormat and escaping braces
> affectsVersions:3.2;3.2.1
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-948?filter=allopenissues
> org.apache.commons.lang3.reflect.FieldUtils.removeFinalModifier(Field)
> does not clean up after itself
> affectsVersions:3.2;3.2.1
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-961?filter=allopenissues
> NumberUtils#createNumber() returns positive BigDecimal when negative
> Float is expected
> affectsVersions:3.x
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-1087?filter=allopenissues
> Sincerely~
> FDU Software Engineering Lab
> Feb 15th,2019
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
