[
https://issues.apache.org/jira/browse/FLINK-30274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17642399#comment-17642399
]
Martijn Visser commented on FLINK-30274:
----------------------------------------
[~lemonjing] That's not a CVE. If anything, it's a bug at most. I agree that
moving to a new version is good, but then that's what needs to happen: add the
dependency, refactor existing usage to the new dependency and remove the old
one. Else, you're not replacing anything.
> Add commons-collections4 to replace commons-collections 3.x
> ------------------------------------------------------------
>
> Key: FLINK-30274
> URL: https://issues.apache.org/jira/browse/FLINK-30274
> Project: Flink
> Issue Type: Technical Debt
> Components: Build System
> Affects Versions: 1.16.0
> Reporter: Ran Tao
> Assignee: Ran Tao
> Priority: Major
> Labels: pull-request-available
> Attachments: image-2022-12-02-16-40-22-172.png
>
>
> First, Apache commons-collections 3.x is a Java 1.3 compatible version, and
> it does not use Java 5 generics. Apache commons-collections4 4.4 is an
> upgraded version of commons-collections and it built by Java 8.
> Second, Apache commons-collections 3.x is vulnerable. see
> https://issues.apache.org/jira/browse/COLLECTIONS-701
> We can upgrade this dependency, but i found that currently 3.x was used by
> flink-core many places. So at least we need offer commons-collections4
> support to forbid the next and later error usages (developers or submodules
> use this new version).
> The Apache Spark has same issue: [https://github.com/apache/spark/pull/35257]
> [^image-2022-12-02-16-40-22-172.png]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
