Hi, My colleague made a through analysis on our library dependencies and classified them using the following notation:
G = Good - we're on the latest version M = Mostly good - we're only a patch version behind O = Old - not on latest version, but on same major version B = Bad - one or more major versions behind - you may want to strongly consider upgrading S = Security - potential security vulnerability reported against this or a newer version A = Abandonware - no longer supported in any form - these must be addressed ? = Needs further research As a result I would like to create a jira for each upgrade to track the Security vulnerability categories so please expect some noise from that direction today and tomorrow. (If we can make a good progress there then we can continue with the A,B,O,M categories later) I'll somehow collect these into an epic or umbrella jira or label (if no suggestion then I would pick one of them) including the existing library upgrade jiras (eg FLUME-2914 <https://issues.apache.org/jira/browse/FLUME-2914>) So the candidates for this iteration are the following. I think what we should consider (will be part of the description of the newly created jiras) is - double check the existence of security vulnerability and - double check the newest version. - We might also want to consider to remove a dependency if better alternative is available. - check whether the lib change would introduce a backward incompatibility (I think that would be marked as a label "breaking-change" and a fix version for flume-ng 2.0.0) Group Artifact Version used Version(s) available at search.maven.org com.fasterxml.jackson.core jackson-core 2.3.1 2.8.1, commons-beanutils commons-beanutils 1.7.0 1.9.2 commons-beanutils commons-beanutils-core 1.8.0 1.8.3, commons-daemon commons-daemon 1.0.13 1.0.15 commons-httpclient commons-httpclient 3.1, 3.0.1 4.5.2 io.netty netty 3.2.2.Final, 3.9.4.Final 4.1.4 javax.mail mail 1.4.1 1.5.0-b01, javax.servlet servlet-api 2.5 3.0-alpha-1, 2.5 javax.xml.bind jaxb-api 2.2.2 2.2.12, org.apache.curator curator-framework 2.6.0 3.2.0, org.apache.htrace htrace-core 3.1.0-incubating 4.0.0-incubating, org.apache.httpcomponents httpclient 4.2.1 4.5.2, org.apache.httpcomponents httpmime 4.2.5 4.5.2, org.apache.james apache-mime4j-core 0.7.2 0.7.2, org.apache.pdfbox fontbox 1.8.4 2.0.2, org.apache.poi poi 3.10-beta2 3.15-beta2, org.apache.poi poi-ooxml 3.10-beta2 3.15-beta2, org.apache.poi poi-scratchpad 3.10-beta2 3.15-beta2, org.apache.thrift libfb303 0.9.0 0.9.3, org.bouncycastle bcprov-jdk15 1.45 1.46, org.codehaus.jackson jackson-core-asl 1.9.3 1.9.13, org.mortbay.jetty jetty 6.1.26 7.0.0.pre5, org.mortbay.jetty jetty-util 6.1.26 7.0.0.pre5, org.mortbay.jetty servlet-api 2.5-20110124 3.0.20100224, org.restlet.jee org.restlet 2.1.1 2.3.4 org.springframework spring-aop 3.0.7.RELEASE 4.3.2.RELEASE, org.springframework spring-context 3.0.7.RELEASE 4.3.2.RELEASE, org.springframework spring-core 3.0.7.RELEASE 4.3.2.RELEASE, tomcat jasper-compiler 5.5.23 5.5.23, tomcat jasper-runtime 5.5.23 5.5.23, Comments are very welcomed. Cheers, Attila *Attila Simon* Software Engineer Email: s...@cloudera.com [image: Cloudera Inc.]
