Kaifeng Huang created HIVE-21273:
------------------------------------
Summary: Your project apache/hive is using buggy third-party
libraries [WARNING]
Key: HIVE-21273
URL: https://issues.apache.org/jira/browse/HIVE-21273
Project: Hive
Issue Type: Bug
Reporter: Kaifeng Huang
Hi, there!
We are a research team working on third-party library analysis. We have
found that some widely-used third-party libraries in your project have
major/critical bugs, which will degrade the quality of your project. We highly
recommend you to update those libraries to new versions.
We have attached the buggy third-party libraries and corresponding jira
issue links below for you to have more detailed information.
1. org.apache.httpcomponents httpclient(pom.xml)
version: 4.5.2
Jira issues:
org.apache.http.impl.client.AbstractHttpClient#createClientConnectionManager
Does not account for context class loader
affectsVersions:4.4.1;4.5;4.5.1;4.5.2
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1727?filter=allopenissues
Memory Leak in OSGi support
affectsVersions:4.4.1;4.5.2
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1749?filter=allopenissues
SystemDefaultRoutePlanner: Possible null pointer dereference
affectsVersions:4.5.2
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1766?filter=allopenissues
Null pointer dereference in EofSensorInputStream and ResponseEntityProxy
affectsVersions:4.5.2
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1767?filter=allopenissues
[OSGi] WeakList needs to support "clear" method
affectsVersions:4.5.2;5.0 Alpha1
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1772?filter=allopenissues
[OSGi] HttpProxyConfigurationActivator does not unregister
HttpClientBuilderFactory
affectsVersions:4.5.2
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1773?filter=allopenissues
Why is Retry around Redirect and not the other way round
affectsVersions:4.5.2
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1800?filter=allopenissues
2. commons-cli
commons-cli(pom.xml,testutils/ptest2/pom.xml,upgrade-acid/pre-upgrade/pom.xml)
version: 1.2
Jira issues:
Unable to select a pure long option in a group
affectsVersions:1.0;1.1;1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-182?filter=allopenissues
Clear the selection from the groups before parsing
affectsVersions:1.0;1.1;1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-183?filter=allopenissues
Commons CLI incorrectly stripping leading and trailing quotes
affectsVersions:1.1;1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-185?filter=allopenissues
Coding error: OptionGroup.setSelected causes
java.lang.NullPointerException
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-191?filter=allopenissues
StringIndexOutOfBoundsException in HelpFormatter.findWrapPos
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-193?filter=allopenissues
HelpFormatter strips leading whitespaces in the footer
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-207?filter=allopenissues
OptionBuilder only has static methods; yet many return an OptionBuilder
instance
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-224?filter=allopenissues
Unable to properly require options
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-230?filter=allopenissues
OptionValidator Implementation Does Not Agree With JavaDoc
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-241?filter=allopenissues
3. commons-io commons-io(pom.xml)
version: 2.4
Jira issues:
IOUtils copyLarge() and skip() methods are performance hogs
affectsVersions:2.3;2.4
https://issues.apache.org/jira/projects/IO/issues/IO-355?filter=allopenissues
CharSequenceInputStream#reset() behaves incorrectly in case when buffer
size is not dividable by data size
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-356?filter=allopenissues
[Tailer] InterruptedException while the thead is sleeping is silently
ignored
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-357?filter=allopenissues
IOUtils.contentEquals* methods returns false if input1 == input2;
should return true
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-362?filter=allopenissues
Apache Commons - standard links for documents are failing
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-369?filter=allopenissues
FileUtils.sizeOfDirectoryAsBigInteger can overflow
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-390?filter=allopenissues
Regression in FileUtils.readFileToString from 2.0.1
affectsVersions:2.1;2.2;2.3;2.4
https://issues.apache.org/jira/projects/IO/issues/IO-453?filter=allopenissues
Correct exception message in FileUtils.getFile(File; String...)
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-479?filter=allopenissues
org.apache.commons.io.FileUtils#waitFor waits too long
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-481?filter=allopenissues
FilenameUtils should handle embedded null bytes
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-484?filter=allopenissues
Exceptions are suppressed incorrectly when copying files.
affectsVersions:2.4;2.5
https://issues.apache.org/jira/projects/IO/issues/IO-502?filter=allopenissues
4. org.apache.logging.log4j log4j-core(pom.xml)
version: 2.10.0
Jira issues:
Curly braces in parameters are treated as placeholders
affectsVersions:2.8.2;2.9.0;2.10.0
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2032?filter=allopenissues
Remove Log4J API dependency on Management APIs
affectsVersions:2.9.1;2.10.0
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2126?filter=allopenissues
Log4j2 throws NoClassDefFoundError in Java 9
affectsVersions:2.10.0;2.11.0
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2129?filter=allopenissues
ThreadContext map is cleared => entries are only available for one log
event
affectsVersions:2.10.0
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2158?filter=allopenissues
Objects held in SortedArrayStringMap cannot be filtered during
serialization
affectsVersions:2.10.0
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2163?filter=allopenissues
NullPointerException at
org.apache.logging.log4j.util.Activator.loadProvider(Activator.java:81) in
log4j 2.10.0
affectsVersions:2.10.0
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2182?filter=allopenissues
MarkerFilter onMismatch invalid attribute in .properties
affectsVersions:2.10.0
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2202?filter=allopenissues
Configuration builder classes should look for "onMismatch"; not
"onMisMatch".
affectsVersions:2.4;2.4.1;2.5;2.6;2.6.1;2.6.2;2.7;2.8;2.8.1;2.8.2;2.9.0;2.10.0
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2219?filter=allopenissues
Empty Automatic-Module-Name Header
affectsVersions:2.10.0;2.11.0;3.0.0
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2254?filter=allopenissues
ConcurrentModificationException from
org.apache.logging.log4j.status.StatusLogger.<clinit>(StatusLogger.java:71)
affectsVersions:2.10.0
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2276?filter=allopenissues
Allow SystemPropertiesPropertySource to run with a SecurityManager that
rejects system property access
affectsVersions:2.10.0
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2279?filter=allopenissues
ParserConfigurationException when using Log4j with
oracle.xml.jaxp.JXDocumentBuilderFactory
affectsVersions:2.10.0
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2283?filter=allopenissues
Log4j 2.10+not working with SLF4J 1.8 in OSGI environment
affectsVersions:2.10.0;2.11.0
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2305?filter=allopenissues
fix the CacheEntry map in ThrowableProxy#toExtendedStackTrace to be put
and gotten with same key
affectsVersions:2.6.2;2.7;2.8;2.8.1;2.8.2;2.9.0;2.9.1;2.10.0;2.11.0
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2389?filter=allopenissues
NullPointerException when closing never used
RollingRandomAccessFileAppender
affectsVersions:2.10.0;2.11.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2418?filter=allopenissues
5. org.apache.commons commons-lang3(hcatalog/streaming/pom.xml)
version: 3.3.2
Jira issues:
ISO 8601 misspelled throughout the Javadocs
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1001?filter=allopenissues
Several predefined ISO FastDateFormats in DateFormatUtils are incorrect
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1002?filter=allopenissues
DurationFormatUtils are not able to handle negative durations/periods
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1003?filter=allopenissues
DurationFormatUtils#formatDurationHMS implementation does not
correspond to Javadoc and vice versa
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1004?filter=allopenissues
NumberUtils.createNumber(final String str) Precision will be lost
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1018?filter=allopenissues
Javadoc for EqualsBuilder.reflectionEquals() is unclear
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1035?filter=allopenissues
NumberUtils#isNumber() returns false for "+2" and true for "-2"
affectsVersions:3.1;3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1038?filter=allopenissues
Javadoc for NumberUtils.isNumber() are not clear enough
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1040?filter=allopenissues
Fix MethodUtilsTest so it does not depend on JDK method ordering
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1041?filter=allopenissues
StrSubstitutor.replaceSystemProperties does not work consistently
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1055?filter=allopenissues
NumberUtils.isNumber assumes number starting with Zero is octal
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1060?filter=allopenissues
FastDateParser error - timezones not handled correctly
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1061?filter=allopenissues
Wrong formating of time zones with daylight saving time in
FastDatePrinter
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1092?filter=allopenissues
TypeUtils.ParameterizedType#equals doesn't work with wildcard types
affectsVersions:3.3.2;3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1114?filter=allopenissues
Fix bug with stripping spaces on last line in WordUtils.wrap()
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-995?filter=allopenissues
FastDateFormat is case sensitive
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-996?filter=allopenissues
NumberUtils#createNumber() returns positive BigDecimal when negative
Float is expected
affectsVersions:3.x
https://issues.apache.org/jira/projects/LANG/issues/LANG-1087?filter=allopenissues
6. commons-lang commons-lang(storage-api/pom.xml,pom.xml)
version: 2.6
Jira issues:
Remove unnecessary synchronization from registry lookup in
EqualsBuilder and HashCodeBuilder
affectsVersions:2.6
https://issues.apache.org/jira/projects/LANG/issues/LANG-1230?filter=allopenissues
LocaleUtils - DCL idiom is not thread-safe
affectsVersions:2.6
https://issues.apache.org/jira/projects/LANG/issues/LANG-803?filter=allopenissues
Exception when combining custom and choice format in
ExtendedMessageFormat
affectsVersions:2.5;2.6
https://issues.apache.org/jira/projects/LANG/issues/LANG-917?filter=allopenissues
7. org.apache.commons
commons-lang3(standalone-metastore/pom.xml,pom.xml)
version: 3.2
Jira issues:
SerializationUtils.ClassLoaderAwareObjectInputStream should use static
initializer to initialize primitiveTypes map.
affectsVersions:3.2;3.3;3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1251?filter=allopenissues
Build fails with test failures when building with JDK 8
affectsVersions:3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-938?filter=allopenissues
Test DurationFormatUtilsTest.testEdgeDuration fails in JDK 1.6; 1.7 and
1.8; BRST time zone
affectsVersions:3.1;3.2;3.2.1
https://issues.apache.org/jira/projects/LANG/issues/LANG-943?filter=allopenissues
Exception while using ExtendedMessageFormat and escaping braces
affectsVersions:3.2;3.2.1
https://issues.apache.org/jira/projects/LANG/issues/LANG-948?filter=allopenissues
org.apache.commons.lang3.reflect.FieldUtils.removeFinalModifier(Field)
does not clean up after itself
affectsVersions:3.2;3.2.1
https://issues.apache.org/jira/projects/LANG/issues/LANG-961?filter=allopenissues
NumberUtils#createNumber() returns positive BigDecimal when negative
Float is expected
affectsVersions:3.x
https://issues.apache.org/jira/projects/LANG/issues/LANG-1087?filter=allopenissues
Sincerely~
FDU Software Engineering Lab
Feb 15th,2019
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
