[jira] [Commented] (PHOENIX-7163) Update commons-configuration2 to 2.8.0

Mon, 15 Jan 2024 06:05:04 -0800 


    [ 
https://issues.apache.org/jira/browse/PHOENIX-7163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17806839#comment-17806839
 ] 

Istvan Toth commented on PHOENIX-7163:
--------------------------------------

The new commons-configuration2 needs a newer commons-text:

{noformat}
[ERROR] Tests run: 3, Failures: 0, Errors: 3, Skipped: 0, Time elapsed: 0.406 s 
<<< FAILURE! -- in org.apache.phoenix.iterate.SpoolingResultIteratorTest
[ERROR] 
org.apache.phoenix.iterate.SpoolingResultIteratorTest.testOnDiskSpooling -- 
Time elapsed: 0.385 s <<< ERROR!
java.lang.NoSuchMethodError: 'org.apache.commons.text.lookup.StringLookup 
org.apache.commons.text.lookup.StringLookupFactory.base64DecoderStringLookup()'
        at 
org.apache.commons.configuration2.interpol.DefaultLookups.<clinit>(DefaultLookups.java:68)
        at 
org.apache.commons.configuration2.interpol.ConfigurationInterpolator$DefaultPrefixLookupsHolder.createDefaultLookups(ConfigurationInterpolator.java:647)
        at 
org.apache.commons.configuration2.interpol.ConfigurationInterpolator$DefaultPrefixLookupsHolder.<init>(ConfigurationInterpolator.java:627)
        at 
org.apache.commons.configuration2.interpol.ConfigurationInterpolator$DefaultPrefixLookupsHolder.<clinit>(ConfigurationInterpolator.java:614)
...
{noformat}


> Update commons-configuration2 to 2.8.0
> --------------------------------------
>
>                 Key: PHOENIX-7163
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-7163
>             Project: Phoenix
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 5.2.0, 5.1.4
>            Reporter: Istvan Toth
>            Assignee: Istvan Toth
>            Priority: Major
>             Fix For: 5.2.0, 5.1.4
>
>
> We are using commons-configurations2 for the Hadoop metrics code, because 
> that Hadoop API is badly broken.
> Because of this, I have added dependency management for that dependency.
> We are setting an old version, which is known to have CVEs.
> -Remove the dependency managment so that we can pick up any possible future 
> fixes from Hadoop instead.-
> Hadoop has updated to 2.8.0 without any code changes.
> Since we only add this for the Hadoop API leak , we may update to 2.8.0 just 
> as well.
> It is also not needed in hbase-server and hbase-mapreduce, as it is provided 
> by the expected Hadoop on the classpath.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to