[
https://issues.apache.org/jira/browse/TIKA-4532?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18033834#comment-18033834
]
Vladimir Sitnikov commented on TIKA-4532:
-----------------------------------------
The issue with commons is that you get all the CVEs in one package.
Let us break it down.
See
https://github.com/search?q=repo%3Aapache%2Ftika+%22import+org.apache.commons.lang3%22&type=code
1) {{org.apache.commons.lang3.mutable.MutableInt}} could be {{AtomicInteger}}
or a custom tika-specific class
2) {{org.apache.commons.lang3.StringUtils}}
{{StringUtils.join}} and {{StringUtils.joinWith}} (see
https://github.com/search?q=repo%3Aapache%2Ftika+stringutils.join&type=code)
could be replaced with Java's {{String.join}}
{{StringUtils.isBlank}}, {{isEmpty}} might be implemented in Tika.
3) {{Strings.CS}} and {{Strings.CI}}: there are only a few cases, and modern
java has similar APIs:
https://github.com/search?q=repo%3Aapache%2Ftika+%28%22Strings.ci%22+OR+%22Strings.cs%22%29&type=code
4) There is a couple of {{Pair}} usages.
So the breakdown does not sound that devastating.
---
{quote}And the currently released version uses 3.18 which is still safe.{quote}
> Drop commons-lang3 dependency
> -----------------------------
>
> Key: TIKA-4532
> URL: https://issues.apache.org/jira/browse/TIKA-4532
> Project: Tika
> Issue Type: Improvement
> Affects Versions: 3.2.3
> Reporter: Vladimir Sitnikov
> Priority: Major
>
> Currently, there are only a few commons-lang3 usages in apache tika (see
> https://github.com/search?q=repo%3Aapache%2Ftika%20commons.lang3&type=code ),
> and it would be great if
> commons-lang3 is a big dependency with lots of stuff, and it is unfortunate
> to get CVEs via commons-lang3:
> https://mvnrepository.com/artifact/org.apache.commons/commons-lang3
> See https://github.com/apache/maven-doxia/issues/1006
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
