[
https://issues.apache.org/jira/browse/FLINK-30274?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ran Tao updated FLINK-30274:
----------------------------
Description:
First, Apache commons-collections 3.x is a Java 1.3 compatible version, and it
does not use Java 5 generics. Apache commons-collections4 4.4 is an upgraded
version of commons-collections and it built by Java 8.
Second, Apache commons-collections 3.x is vulnerable. see
https://issues.apache.org/jira/browse/COLLECTIONS-701
We can upgrade this dependency, but i found that currently 3.x was used by
flink-core many places. So at least we need offer commons-collections4 support
to forbid the next and later error usages (developers or submodules use this
new version).
The Apache Spark has same issue: [https://github.com/apache/spark/pull/35257]
[^image-2022-12-02-16-40-22-172.png]
was:
First, Apache commons-collections 3.x is a Java 1.3 compatible version, and it
does not use Java 5 generics. Apache commons-collections4 4.4 is an upgraded
version of commons-collections and it built by Java 8.
Second, Apache commons-collections 3.x is vulnerable. see
[Cx78f40514-81ff|https://devhub.checkmarx.com/cve-details/Cx78f40514-81ff/?utm_source=jetbrains&utm_medium=referral&utm_campaign=idea]
We can upgrade this dependency, but i found that currently 3.x was used by
flink-core many places. So at least we need offer commons-collections4 support
to forbid the next and later error usages (developers or submodules use this
new version).
The Apache Spark has same issue: https://github.com/apache/spark/pull/35257
!image-2022-12-02-16-40-22-172.png|thumbnail!
> Add commons-collections4 to replace commons-collections 3.x
> ------------------------------------------------------------
>
> Key: FLINK-30274
> URL: https://issues.apache.org/jira/browse/FLINK-30274
> Project: Flink
> Issue Type: Technical Debt
> Components: Build System
> Affects Versions: 1.16.0
> Reporter: Ran Tao
> Assignee: Ran Tao
> Priority: Major
> Labels: pull-request-available
> Attachments: image-2022-12-02-16-40-22-172.png
>
>
> First, Apache commons-collections 3.x is a Java 1.3 compatible version, and
> it does not use Java 5 generics. Apache commons-collections4 4.4 is an
> upgraded version of commons-collections and it built by Java 8.
> Second, Apache commons-collections 3.x is vulnerable. see
> https://issues.apache.org/jira/browse/COLLECTIONS-701
> We can upgrade this dependency, but i found that currently 3.x was used by
> flink-core many places. So at least we need offer commons-collections4
> support to forbid the next and later error usages (developers or submodules
> use this new version).
> The Apache Spark has same issue: [https://github.com/apache/spark/pull/35257]
> [^image-2022-12-02-16-40-22-172.png]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
