FDU-SE-LAB opened a new issue #666: Your project apache/rocketmq is using buggy third-party libraries [WARNING] URL: https://github.com/apache/rocketmq/issues/666 Hi, there! We are a research team working on third-party library analysis. We have found that some widely-used third-party libraries in your project have major/critical bugs, which will degrade the quality of your project. We highly recommend you to update those libraries to new versions. We have attached the buggy third-party libraries and corresponding jira issue links below for you to have more detailed information. 1 commons-cli commons-cli (pom.xml) version: 1.2 Jira issues: Unable to select a pure long option in a group affectsVersions:1.0;1.1;1.2 https://issues.apache.org/jira/projects/CLI/issues/CLI-182?filter=allopenissues Clear the selection from the groups before parsing affectsVersions:1.0;1.1;1.2 https://issues.apache.org/jira/projects/CLI/issues/CLI-183?filter=allopenissues Commons CLI incorrectly stripping leading and trailing quotes affectsVersions:1.1;1.2 https://issues.apache.org/jira/projects/CLI/issues/CLI-185?filter=allopenissues Coding error: OptionGroup.setSelected causes java.lang.NullPointerException affectsVersions:1.2 https://issues.apache.org/jira/projects/CLI/issues/CLI-191?filter=allopenissues StringIndexOutOfBoundsException in HelpFormatter.findWrapPos affectsVersions:1.2 https://issues.apache.org/jira/projects/CLI/issues/CLI-193?filter=allopenissues HelpFormatter strips leading whitespaces in the footer affectsVersions:1.2 https://issues.apache.org/jira/projects/CLI/issues/CLI-207?filter=allopenissues OptionBuilder only has static methods; yet many return an OptionBuilder instance affectsVersions:1.2 https://issues.apache.org/jira/projects/CLI/issues/CLI-224?filter=allopenissues Unable to properly require options affectsVersions:1.2 https://issues.apache.org/jira/projects/CLI/issues/CLI-230?filter=allopenissues OptionValidator Implementation Does Not Agree With JavaDoc affectsVersions:1.2 https://issues.apache.org/jira/projects/CLI/issues/CLI-241?filter=allopenissues 2 org.apache.logging.log4j log4j-core (pom.xml) version: 2.7 Jira issues: ClassCastException at shutdown with JUL: casting SimpleLogger to Logger affectsVersions:2.6.2;2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1618?filter=allopenissues OSGi support is broken in Log4j2 2.7 affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1637?filter=allopenissues RollingFileAppender with CronTriggeringPolicy broken? affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1640?filter=allopenissues DefaultShutdownCallbackRegistry can throw a NoClassDefFoundError affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1642?filter=allopenissues CronTriggeringPolicy breaks awefully when using "reconfigure" of LoggerContext affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1649?filter=allopenissues CronTriggeringPolicy uses wrong naming and produces NPE affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1653?filter=allopenissues 2.7 - ThreadContextAccess.getThreadContextMap NPE when specifying BasicContextSelector affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1658?filter=allopenissues Some LogEvents may not carry a Throwable (Use Message.getThrowable() in log(Message) methods) affectsVersions:2.5;2.6;2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1676?filter=allopenissues Logger using LocalizedMessageFactory prints key instead of message affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1682?filter=allopenissues NPE in ThrowableProxy when resolving stack in Java EE/OSGi environment affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1687?filter=allopenissues Message parameter array elements are set to null during logging in garbage-free mode affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1688?filter=allopenissues StringBuilderFormattable Messages should used cached formatted message if it exists affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1719?filter=allopenissues RollingFileAppender's filePattern not reloaded when using monitorInterval affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1725?filter=allopenissues SslSocketManager should respect connectTimeoutMillis affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1731?filter=allopenissues SslSocketManagerFactory might leak Sockets when certain startup errors occur affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1734?filter=allopenissues Update Jackson from 2.8.4 to 2.8.5 affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1735?filter=allopenissues TcpSocketManagerFactory might leak Sockets when certain startup errors occur affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1736?filter=allopenissues Add CronTriggeringPolicy programmatically leads to NPE affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1740?filter=allopenissues CompositeConfiguration does not add filters to appenderRefs affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1743?filter=allopenissues Custom logger Generate tool should not require log4j-api dependency affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1744?filter=allopenissues RollingFile appender prevents a stand alone application to terminate for as long as 60 sec affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1748?filter=allopenissues Adds xmlns in schema and some other tags affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1756?filter=allopenissues JsonLayout Throwing Exceptions And Producing Broken Logs affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1769?filter=allopenissues Eliminate the use of the ExecutorServices in the LoggerContext affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1780?filter=allopenissues API Version is incorrect affectsVersions:2.6;2.6.1;2.6.2;2.7;2.8;2.8.1 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1836?filter=allopenissues AsyncLogger and message formatting (ConcurrentModificationException) affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1914?filter=allopenissues Configurations with multiple root loggers should fail loudly affectsVersions:2.0;2.1;2.2;2.3;2.4;2.5;2.6;2.7;2.8 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1954?filter=allopenissues TcpSocketServer does not replace any “{}” in message affectsVersions:2.6.2;2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1969?filter=allopenissues Log4J JUL Bridge and RMI Security Manager causes access denied ("java.util.logging.LoggingPermission" "control") affectsVersions:2.7;2.8.2 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1987?filter=allopenissues No compression when using a separate drive in Linux affectsVersions:2.7 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2012?filter=allopenissues Configuration builder classes should look for "onMismatch"; not "onMisMatch". affectsVersions:2.4;2.4.1;2.5;2.6;2.6.1;2.6.2;2.7;2.8;2.8.1;2.8.2;2.9.0;2.10.0 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2219?filter=allopenissues fix the CacheEntry map in ThrowableProxy#toExtendedStackTrace to be put and gotten with same key affectsVersions:2.6.2;2.7;2.8;2.8.1;2.8.2;2.9.0;2.9.1;2.10.0;2.11.0 https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2389?filter=allopenissues 3 ch.qos.logback logback-classic (pom.xml) version: 1.0.13 Jira issues: Prudent FileAppender is stopped if a thread is ever interrupted prior to a logging call affectsVersions:1.0.13 https://jira.qos.ch/projects/LOGBACK/issues/LOGBACK-875?filter=allopenissues Deadlock in RollingFileAppender affectsVersions:1.0.13 https://jira.qos.ch/projects/LOGBACK/issues/LOGBACK-891?filter=allopenissues SocketAppender causes Deadlock affectsVersions:1.0.13 https://jira.qos.ch/projects/LOGBACK/issues/LOGBACK-896?filter=allopenissues SMTPAppender synchronization problem in Asynchronous mode affectsVersions:1.0.13 https://jira.qos.ch/projects/LOGBACK/issues/LOGBACK-909?filter=allopenissues AsyncAppenderBase swallows InterruptedException affectsVersions:1.0.13 https://jira.qos.ch/projects/LOGBACK/issues/LOGBACK-910?filter=allopenissues LoggerEvents are lost when sending over the SocketAppender affectsVersions:1.0.13 https://jira.qos.ch/projects/LOGBACK/issues/LOGBACK-942?filter=allopenissues SyslogAppenderBase.stop() should check for non-null syslog output stream (sos) before calling close() affectsVersions:1.0.13 https://jira.qos.ch/projects/LOGBACK/issues/LOGBACK-960?filter=allopenissues 4 org.apache.commons commons-lang3 (pom.xml) version: 3.4 Jira issues: TypeUtils.ParameterizedType#equals doesn't work with wildcard types affectsVersions:3.3.2;3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1114?filter=allopenissues DateUtilsTest.testLang530 fails for some timezones affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1116?filter=allopenissues StringUtils.stripAccents from "Ł" and "ł" affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1120?filter=allopenissues JsonToStringStyle doesn't handle chars and objects correctly affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1128?filter=allopenissues ReflectionToStringBuilder doesn't throw IllegalArgumentException when the constructor's object param is null affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1132?filter=allopenissues StrLookup.systemPropertiesLookup() no longer reacts on changes on system properties affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1141?filter=allopenissues StringUtils#capitalize: Javadoc says toTitleCase; code uses toUpperCase affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1142?filter=allopenissues Multiple calls of org.apache.commons.lang3.concurrent.LazyInitializer.initialize() are possible affectsVersions:3.4;3.5 https://issues.apache.org/jira/projects/LANG/issues/LANG-1144?filter=allopenissues EnumUtils *BitVector issue with more than 32 values Enum affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1147?filter=allopenissues StringUtils#equals fails with Index OOBE on non-Strings with identical leading prefix affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1162?filter=allopenissues There are no tests for CharSequenceUtils.regionMatches affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1163?filter=allopenissues ArrayUtils.removeAll(Object array; int... indices) should do the clone; not its callers affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1178?filter=allopenissues TypeUtils.isAssignable throws NullPointerException when fromType has type variables and toType generic superclass specifies type variable affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1190?filter=allopenissues FastDateFormat does not support the week-year component (uppercase 'Y') affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1192?filter=allopenissues ordinalIndexOf("abc"; "ab"; 1) gives incorrect answer of -1 (correct answer should be 0) affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1193?filter=allopenissues Fix implementation of StringUtils.getJaroWinklerDistance() affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1199?filter=allopenissues parseDateStrictly does't pass specified locale affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1202?filter=allopenissues ClassUtils.getClass(ClassLoader; String) fails for "void" affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1214?filter=allopenissues NumberUtils.isNumber bug affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1216?filter=allopenissues FastDateFormat doesn't respect summer daylight in localized strings affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1219?filter=allopenissues StringUtils#normalizeSpace does not trim the string anymore affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1226?filter=allopenissues DiffBuilder: Add null check on fieldName when appending Object or Object[] affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1232?filter=allopenissues FastDatePrinter Memory allocation regression affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1248?filter=allopenissues SerializationUtils.ClassLoaderAwareObjectInputStream should use static initializer to initialize primitiveTypes map. affectsVersions:3.2;3.3;3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1251?filter=allopenissues NumberUtils.isNumber and NumberUtils.createNumber resolve inconsistently affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1252?filter=allopenissues ArrayUtils.contains returns false for instances of subtypes affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1261?filter=allopenissues CompareToBuilder.append(Object;Object;Comparator) method is too big to be inlined affectsVersions:3.4 https://issues.apache.org/jira/projects/LANG/issues/LANG-1262?filter=allopenissues StrBuilder#replaceAll ArrayIndexOutOfBoundsException affectsVersions:3.2.1;3.4;3.5 https://issues.apache.org/jira/projects/LANG/issues/LANG-1276?filter=allopenissues Sincerely~ FDU Software Engineering Lab Jan 7th,2019
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
