FDU-SE-LAB opened a new issue #6812: Your project druid-io/druid is using buggy third-party libraries [WARNING] URL: https://github.com/apache/incubator-druid/issues/6812 Hi, there! We are a research team working on third-party library analysis. We have found that some widely-used third-party libraries in your project have major/critical bugs, which will degrade the quality of your project. We highly recommend you to update those libraries to new versions. We have attached the buggy third-party libraries and corresponding jira issue links below for you to have more detailed information. 1 org.apache.httpcomponents httpclient (pom in maven central) version: 4.5.3 Jira issues: Possible bug in URIBuilder affectsVersions:4.5.3 https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1831?filter=allopenissues RuntimeException from WindowsNegotiateScheme: Unexpected token affectsVersions:4.5.3 https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1833?filter=allopenissues DefaultServiceUnavailableRetryStrategy does not respect HttpEntity#isRepeatable affectsVersions:4.5.3 https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1865?filter=allopenissues connection should revert to SocketConfig's soTimeout affectsVersions:4.5.3 https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1879?filter=allopenissues NTLM authentication against ntlm.herokuapp.com affectsVersions:4.5.3 https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1881?filter=allopenissues connection leak issue when OutOfMemory affectsVersions:4.5.3;4.5.4;4.5.5 https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1924?filter=allopenissues org.apache.http.conn.ssl.SSLSocketFactory no longer throws ConnectTimeoutException affectsVersions:4.5.3 https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1940?filter=allopenissues 2 commons-cli commons-cli (pom.xml) version: 1.2 Jira issues: Unable to select a pure long option in a group affectsVersions:1.0;1.1;1.2 https://issues.apache.org/jira/projects/CLI/issues/CLI-182?filter=allopenissues Clear the selection from the groups before parsing affectsVersions:1.0;1.1;1.2 https://issues.apache.org/jira/projects/CLI/issues/CLI-183?filter=allopenissues Commons CLI incorrectly stripping leading and trailing quotes affectsVersions:1.1;1.2 https://issues.apache.org/jira/projects/CLI/issues/CLI-185?filter=allopenissues Coding error: OptionGroup.setSelected causes java.lang.NullPointerException affectsVersions:1.2 https://issues.apache.org/jira/projects/CLI/issues/CLI-191?filter=allopenissues StringIndexOutOfBoundsException in HelpFormatter.findWrapPos affectsVersions:1.2 https://issues.apache.org/jira/projects/CLI/issues/CLI-193?filter=allopenissues HelpFormatter strips leading whitespaces in the footer affectsVersions:1.2 https://issues.apache.org/jira/projects/CLI/issues/CLI-207?filter=allopenissues OptionBuilder only has static methods; yet many return an OptionBuilder instance affectsVersions:1.2 https://issues.apache.org/jira/projects/CLI/issues/CLI-224?filter=allopenissues Unable to properly require options affectsVersions:1.2 https://issues.apache.org/jira/projects/CLI/issues/CLI-230?filter=allopenissues OptionValidator Implementation Does Not Agree With JavaDoc affectsVersions:1.2 https://issues.apache.org/jira/projects/CLI/issues/CLI-241?filter=allopenissues 3 commons-io commons-io (pom.xml) version: 2.5 Jira issues: ant test fails - resources missing from test classpath affectsVersions:2.5 https://issues.apache.org/jira/projects/IO/issues/IO-451?filter=allopenissues Exceptions are suppressed incorrectly when copying files. affectsVersions:2.4;2.5 https://issues.apache.org/jira/projects/IO/issues/IO-502?filter=allopenissues ThresholdingOutputStream.thresholdReached() results in FileNotFoundException affectsVersions:2.5 https://issues.apache.org/jira/projects/IO/issues/IO-512?filter=allopenissues Tailer.run race condition runaway logging affectsVersions:2.5 https://issues.apache.org/jira/projects/IO/issues/IO-528?filter=allopenissues Thread bug in FileAlterationMonitor#stop(int) affectsVersions:2.5 https://issues.apache.org/jira/projects/IO/issues/IO-535?filter=allopenissues 2.5 ExceptionInInitializerError affectsVersions:2.5 https://issues.apache.org/jira/projects/IO/issues/IO-536?filter=allopenissues 4 org.apache.logging.log4j log4j-core (pom.xml) version: 2.5 Jira issues: ThreadLocal leak [AsyncLogger$Info] on Tomcat when using AsyncLoggerContextSelector affectsVersions:2.4;2.4.1;2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1172?filter=allopenissues Memory leak from first loaded web app when log4j jars are in Tomcat's lib folder affectsVersions:2.4.1;2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1176?filter=allopenissues Initializing Logger during JVM shutdown fails with FATAL error affectsVersions:2.4;2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1222?filter=allopenissues Message instances are simply serialized. They mustn't. affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1226?filter=allopenissues NullPointerException in MapLookup.lookup is the event is null affectsVersions:2.4;2.4.1;2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1227?filter=allopenissues Don't concatenate SYSLOG Messages affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1230?filter=allopenissues org.apache.logging.log4j.core.appender.routing.IdlePurgePolicy not working correctly affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1235?filter=allopenissues org.apache.logging.log4j.core.net.TcpSocketManager and other classes does not report internal exceptions to the status logger affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1238?filter=allopenissues Faulty placeholder substitution in config xml affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1243?filter=allopenissues PatternLayout Nano timestamp does not work affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1248?filter=allopenissues Update Jackson from 2.6.4 to 2.7.0 affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1249?filter=allopenissues Update LMAX Disruptor from 3.3.2 to 3.3.4 affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1253?filter=allopenissues TlsSyslogFrame calculates message length incorrectly affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1260?filter=allopenissues Log4jServletContextListener unnecessary exception affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1262?filter=allopenissues log4j2.properties: monitorInterval has no effect affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1263?filter=allopenissues AsyncLogger should use thread-local translator by default affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1269?filter=allopenissues Logger methods taking Supplier<?> parameters should check if supplied value is Message affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1280?filter=allopenissues Change flow logging text from "entry' to "Enter" and "exit" to "Exit" affectsVersions:2.0;2.0.1;2.0.2;2.1;2.2;2.3;2.4;2.4.1;2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1289?filter=allopenissues Update Kafka client from 0.9.0.0 to 0.9.0.1 affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1294?filter=allopenissues Remove serializability from classes that don't need it affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1300?filter=allopenissues Configuration file error does not show cause exception affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1309?filter=allopenissues JndiLookup mindlessly casts to String and should use String.valueOf() affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1310?filter=allopenissues SocketAppender will lose several events after re-connection to server affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1311?filter=allopenissues <Property name="" value="" /> not working affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1313?filter=allopenissues LoggerContext#getLogger causes heavy GC overhead affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1318?filter=allopenissues Custom plugins are not loaded; URL protocol vfs is not supported affectsVersions:2.5;2.6.2 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1320?filter=allopenissues LoggerFactory in 1.2 API module is not compatible with 1.2 affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1336?filter=allopenissues AsyncLogger should not call instanceof TimestampMessage in hot path affectsVersions:2.0.1;2.0.2;2.1;2.2;2.3;2.4;2.4.1;2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1339?filter=allopenissues includeLocation doesn't work when using PropertiesConfiguration affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1363?filter=allopenissues Status logger drops/ignores exception affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1368?filter=allopenissues "xz" compression results in plaintext; uncompressed files. affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1369?filter=allopenissues Update Jackson 2.7.3 to 2.7.4 affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1380?filter=allopenissues Memory leak related to shutdown hook affectsVersions:2.5 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1387?filter=allopenissues NPE in Level.isInRange affectsVersions:2.4;2.4.1;2.5;2.6;2.6.1;2.6.2 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1559?filter=allopenissues Some LogEvents may not carry a Throwable (Use Message.getThrowable() in log(Message) methods) affectsVersions:2.5;2.6;2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1676?filter=allopenissues Configurations with multiple root loggers should fail loudly affectsVersions:2.0;2.1;2.2;2.3;2.4;2.5;2.6;2.7;2.8 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1954?filter=allopenissues Configuration builder classes should look for "onMismatch"; not "onMisMatch". affectsVersions:2.4;2.4.1;2.5;2.6;2.6.1;2.6.2;2.7;2.8;2.8.1;2.8.2;2.9.0;2.10.0 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2219?filter=allopenissues 5 commons-lang commons-lang (pom.xml) version: 2.6 Jira issues: Remove unnecessary synchronization from registry lookup in EqualsBuilder and HashCodeBuilder affectsVersions:2.6 https://issues.apache.org/jira/projects/LANG/issues/LANG-1230?filter=allopenissues LocaleUtils - DCL idiom is not thread-safe affectsVersions:2.6 https://issues.apache.org/jira/projects/LANG/issues/LANG-803?filter=allopenissues Exception when combining custom and choice format in ExtendedMessageFormat affectsVersions:2.5;2.6 https://issues.apache.org/jira/projects/LANG/issues/LANG-917?filter=allopenissues Sincerely~ FDU Software Engineering Lab Jan 7th,2019
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
