[
https://issues.apache.org/jira/browse/STORM-3338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Richard Zowalla closed STORM-3338.
----------------------------------
Resolution: Won't Fix
There were a lot of updates since 2019. Closing this now.
> Your project apache/storm is using buggy third-party libraries [WARNING]
> ------------------------------------------------------------------------
>
> Key: STORM-3338
> URL: https://issues.apache.org/jira/browse/STORM-3338
> Project: Apache Storm
> Issue Type: Bug
> Reporter: Kaifeng Huang
> Priority: Major
>
> Hi, there!
> We are a research team working on third-party library analysis. We have
> found that some widely-used third-party libraries in your project have
> major/critical bugs, which will degrade the quality of your project. We
> highly recommend you to update those libraries to new versions.
> We have attached the buggy third-party libraries and corresponding jira
> issue links below for you to have more detailed information.
> 1. commons-io commons-io
> version: 2.6
> Jira issues:
> .gitattributes not correctly applied
> affectsVersions:2.6
>
> https://issues.apache.org/jira/projects/IO/issues/IO-516?filter=allopenissues
> FilenameUtils.normalize should verify hostname syntax in UNC path
> affectsVersions:2.6
>
> https://issues.apache.org/jira/projects/IO/issues/IO-559?filter=allopenissues
> Missing Javadoc in FilenameUtils causing Travis-CI build to fail
> affectsVersions:2.6
>
> https://issues.apache.org/jira/projects/IO/issues/IO-570?filter=allopenissues
> 2. commons-codec commons-codec
> version: 1.11
> Jira issues:
> InputStream not closed
> affectsVersions:1.10,1.11
>
> https://issues.apache.org/jira/projects/CODEC/issues/CODEC-225?filter=allopenissues
> 3. org.apache.logging.log4j log4j-core
> version: 2.11.1
> Jira issues:
> NameAbbreviator skips first fragments
> affectsVersions:2.11.0,2.11.1
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2365?filter=allopenissues
> Predeployment of PersistenceUnit that using Log4j as session logger
> failed (#198)
> affectsVersions:2.11.1
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2397?filter=allopenissues
> Exceptions are added to all columns when a JDBC Appender's
> ColumnMapping uses a Pattern
> affectsVersions:2.11.1
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2413?filter=allopenissues
> NullPointerException when closing never used
> RollingRandomAccessFileAppender
> affectsVersions:2.10.0,2.11.1
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2418?filter=allopenissues
> AbstractAppender.setHandler(null) should not set a null ErrorHandler
> affectsVersions:3.0.0,2.11.1
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2441?filter=allopenissues
> ErrorHandler should be invoked with the failing LogEvent when possible
> affectsVersions:3.0.0,2.11.1
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2444?filter=allopenissues
> RollingRandomAccessFileManager ignores new file patterns from
> programmatic reconfiguration
> affectsVersions:2.11.1
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2457?filter=allopenissues
> ColumnMapping literal not working
> affectsVersions:2.11.1
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2466?filter=allopenissues
> org.apache.log4j.SimpleLayout and ConsoleAppender missing in
> log4j-1.2-api
> affectsVersions:2.11.1
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2476?filter=allopenissues
> BasicContextSelector cannot be used in a OSGI application
> affectsVersions:2.11.1
>
> https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2482?filter=allopenissues
> 4. org.apache.httpcomponents httpclient
> version: 4.5.6
> Jira issues:
> Support relatively new HTTP 308 redirect - RFC7538
> affectsVersions:3.1 (end of life),4.5.6
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1946?filter=allopenissues
> 5. org.apache.httpcomponents httpclient
> version: 4.5
> Jira issues:
> NTLM auth failed because NTLMEngineImpl strip domain to base domain name
> affectsVersions:4.5
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1662?filter=allopenissues
> RequestBuilder ignores Charset
> affectsVersions:4.5
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1667?filter=allopenissues
> connectTimeout used as socketTimeout in Request
> affectsVersions:4.5
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1668?filter=allopenissues
> org.apache.http.entity.mime.content is missing from exports of OSGi
> bundle
> affectsVersions:4.5
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1673?filter=allopenissues
> 307 redirect throws ClientProtocolException using POST method
> affectsVersions:4.5
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1680?filter=allopenissues
> ZipException occurs when content-encoding-header is set for
> 304-response
> affectsVersions:4.5
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1690?filter=allopenissues
> OSGiRoutePlanner examines only the first proxy exception and also
> crashes processing IP address exception
> affectsVersions:4.4.1;4.5;5.0
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1710?filter=allopenissues
>
> org.apache.http.impl.client.AbstractHttpClient#createClientConnectionManager
> Does not account for context class loader
> affectsVersions:4.4.1;4.5;4.5.1;4.5.2
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1727?filter=allopenissues
> PoolingHttpClientConnectionManager has no option to close long leased
> connections
> affectsVersions:4.4.1;4.5
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1760?filter=allopenissues
> 6. org.apache.httpcomponents httpclient
> version: 4.5.2
> Jira issues:
>
> org.apache.http.impl.client.AbstractHttpClient#createClientConnectionManager
> Does not account for context class loader
> affectsVersions:4.4.1;4.5;4.5.1;4.5.2
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1727?filter=allopenissues
> Memory Leak in OSGi support
> affectsVersions:4.4.1;4.5.2
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1749?filter=allopenissues
> SystemDefaultRoutePlanner: Possible null pointer dereference
> affectsVersions:4.5.2
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1766?filter=allopenissues
> Null pointer dereference in EofSensorInputStream and ResponseEntityProxy
> affectsVersions:4.5.2
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1767?filter=allopenissues
> [OSGi] WeakList needs to support "clear" method
> affectsVersions:4.5.2;5.0 Alpha1
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1772?filter=allopenissues
> [OSGi] HttpProxyConfigurationActivator does not unregister
> HttpClientBuilderFactory
> affectsVersions:4.5.2
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1773?filter=allopenissues
> Why is Retry around Redirect and not the other way round
> affectsVersions:4.5.2
>
> https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1800?filter=allopenissues
> 7. commons-cli commons-cli
> version: 1.2
> Jira issues:
> Unable to select a pure long option in a group
> affectsVersions:1.0;1.1;1.2
>
> https://issues.apache.org/jira/projects/CLI/issues/CLI-182?filter=allopenissues
> Clear the selection from the groups before parsing
> affectsVersions:1.0;1.1;1.2
>
> https://issues.apache.org/jira/projects/CLI/issues/CLI-183?filter=allopenissues
> Commons CLI incorrectly stripping leading and trailing quotes
> affectsVersions:1.1;1.2
>
> https://issues.apache.org/jira/projects/CLI/issues/CLI-185?filter=allopenissues
> Coding error: OptionGroup.setSelected causes
> java.lang.NullPointerException
> affectsVersions:1.2
>
> https://issues.apache.org/jira/projects/CLI/issues/CLI-191?filter=allopenissues
> StringIndexOutOfBoundsException in HelpFormatter.findWrapPos
> affectsVersions:1.2
>
> https://issues.apache.org/jira/projects/CLI/issues/CLI-193?filter=allopenissues
> HelpFormatter strips leading whitespaces in the footer
> affectsVersions:1.2
>
> https://issues.apache.org/jira/projects/CLI/issues/CLI-207?filter=allopenissues
> OptionBuilder only has static methods; yet many return an OptionBuilder
> instance
> affectsVersions:1.2
>
> https://issues.apache.org/jira/projects/CLI/issues/CLI-224?filter=allopenissues
> Unable to properly require options
> affectsVersions:1.2
>
> https://issues.apache.org/jira/projects/CLI/issues/CLI-230?filter=allopenissues
> OptionValidator Implementation Does Not Agree With JavaDoc
> affectsVersions:1.2
>
> https://issues.apache.org/jira/projects/CLI/issues/CLI-241?filter=allopenissues
> 8. commons-collections commons-collections
> version: 3.2.1
> Jira issues:
> Inconsistent Javadoc comment and code in addIgnoreNull(Collection<T>;
> T) in org.apache.commons.collections.CollectionUtils
> affectsVersions:3.2.1
>
> https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-400?filter=allopenissues
> ListUtils.subtract is very slow
> affectsVersions:3.2.1
>
> https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-406?filter=allopenissues
> ListOrderedSet.removeAll() is slow
> affectsVersions:3.2.1
>
> https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-407?filter=allopenissues
> ListOrderedSet.addAll() is very slow
> affectsVersions:3.2.1
>
> https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-409?filter=allopenissues
> Performance problem in DualHashBidiMap
> affectsVersions:3.2.1
>
> https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-413?filter=allopenissues
> AbstractLinkedList.removeAll() is very slow
> affectsVersions:3.2.1
>
> https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-415?filter=allopenissues
> AbstractLinkedList.retainAll() is very slow
> affectsVersions:3.2.1
>
> https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-417?filter=allopenissues
> Surprising exception by CompositeSet in a situation where
> CompositeCollection works fine
> affectsVersions:3.2.1
>
> https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-424?filter=allopenissues
> performance problem in ListOrderedMap.remove()
> affectsVersions:3.2.1
>
> https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-425?filter=allopenissues
> performance problem in ListOrderedSet.retainAll()
> affectsVersions:3.2.1
>
> https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-426?filter=allopenissues
> performance problem in SetUniqueList.retainAll()
> affectsVersions:3.2.1
>
> https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-427?filter=allopenissues
> SetUniqueList may become inconsistent
> affectsVersions:3.2.1
>
> https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-444?filter=allopenissues
> findBugs Warnings: several classes in package functors may expose their
> internal representation
> affectsVersions:3.2.1
>
> https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-453?filter=allopenissues
> findBugs Warning: Flat3Map - 3 iterators which are "both an Iterator
> and a Map.Entry"
> affectsVersions:3.2.1
>
> https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-454?filter=allopenissues
> wasted work in AbstractMapBag.containsAll()
> affectsVersions:3.2.1
>
> https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-472?filter=allopenissues
> ListOrderedSet can have duplicates
> affectsVersions:3.2.1;4.0
>
> https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-524?filter=allopenissues
> ExtendedProperties causes AccessControlException when framework is
> called from a script
> affectsVersions:3.2.1
>
> https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-538?filter=allopenissues
> 9. commons-io commons-io
> version: 1.4
> Jira issues:
> FileCleaningTrackerTestCase hangs
> affectsVersions:1.4
>
> https://issues.apache.org/jira/projects/IO/issues/IO-161?filter=allopenissues
> Fix case-insensitive string handling
> affectsVersions:1.4
>
> https://issues.apache.org/jira/projects/IO/issues/IO-167?filter=allopenissues
> Symbolic links (symlinks) followed when deleting directory.
> affectsVersions:1.4
>
> https://issues.apache.org/jira/projects/IO/issues/IO-168?filter=allopenissues
> StringIndexOutOfBounds exception on FilenameUtils.getPathNoEndSeparator
> affectsVersions:1.3.2;1.4
>
> https://issues.apache.org/jira/projects/IO/issues/IO-179?filter=allopenissues
> FileSystemUtils.freeSpaceWindows blocks
> affectsVersions:1.4
>
> https://issues.apache.org/jira/projects/IO/issues/IO-185?filter=allopenissues
> FileSystemUtils.freeSpaceKb doesn't work with relative paths on Linux
> affectsVersions:1.2;1.3;1.3.1;1.3.2;1.4
>
> https://issues.apache.org/jira/projects/IO/issues/IO-187?filter=allopenissues
> CountingInputStream/CountingOutputStream only partially synchronized
> affectsVersions:1.4
>
> https://issues.apache.org/jira/projects/IO/issues/IO-201?filter=allopenissues
> NotFileFilter documentation is incorrect
> affectsVersions:1.4
>
> https://issues.apache.org/jira/projects/IO/issues/IO-202?filter=allopenissues
> Manifest for OSGi has invalid syntax
> affectsVersions:1.4
>
> https://issues.apache.org/jira/projects/IO/issues/IO-204?filter=allopenissues
> FileSystemUtils.freeSpaceKb fails to return correct size for a windows
> mount point
> affectsVersions:1.4;2.0;3.x
>
> https://issues.apache.org/jira/projects/IO/issues/IO-209?filter=allopenissues
> Delete files quietly when an exception is thrown during initialization
> affectsVersions:1.4
>
> https://issues.apache.org/jira/projects/IO/issues/IO-216?filter=allopenissues
> FileUtils.copyDirectoryToDirectory makes infinite loops
> affectsVersions:1.4
>
> https://issues.apache.org/jira/projects/IO/issues/IO-217?filter=allopenissues
> FileCleaningTracker Vector performs badly under load
> affectsVersions:1.0;1.1;1.2;1.3;1.3.1;1.3.2;1.4;2.0;3.x
>
> https://issues.apache.org/jira/projects/IO/issues/IO-220?filter=allopenissues
> IOUtils.copy Javadoc inconsistency (return -1 vs. throw
> ArithmeticException)
> affectsVersions:1.3;1.3.1;1.3.2;1.4
>
> https://issues.apache.org/jira/projects/IO/issues/IO-223?filter=allopenissues
> FileUtils generate wrong exception message in isFileNewer method
> affectsVersions:1.4
>
> https://issues.apache.org/jira/projects/IO/issues/IO-231?filter=allopenissues
> 10. commons-io commons-io
> version: 2.5
> Jira issues:
> ant test fails - resources missing from test classpath
> affectsVersions:2.5
>
> https://issues.apache.org/jira/projects/IO/issues/IO-451?filter=allopenissues
> Exceptions are suppressed incorrectly when copying files.
> affectsVersions:2.4;2.5
>
> https://issues.apache.org/jira/projects/IO/issues/IO-502?filter=allopenissues
> ThresholdingOutputStream.thresholdReached() results in
> FileNotFoundException
> affectsVersions:2.5
>
> https://issues.apache.org/jira/projects/IO/issues/IO-512?filter=allopenissues
> Tailer.run race condition runaway logging
> affectsVersions:2.5
>
> https://issues.apache.org/jira/projects/IO/issues/IO-528?filter=allopenissues
> Thread bug in FileAlterationMonitor#stop(int)
> affectsVersions:2.5
>
> https://issues.apache.org/jira/projects/IO/issues/IO-535?filter=allopenissues
> 2.5 ExceptionInInitializerError
> affectsVersions:2.5
>
> https://issues.apache.org/jira/projects/IO/issues/IO-536?filter=allopenissues
> 11. commons-codec commons-codec
> version: 1.3
> Jira issues:
> [codec] Using US_ENGLISH static in Soundex causes NPE
> affectsVersions:1.3
>
> https://issues.apache.org/jira/projects/CODEC/issues/CODEC-10?filter=allopenissues
> org.apache.commons.codec.net.URLCodec.ESCAPE_CHAR isn't final but
> should be
> affectsVersions:1.2;1.3;1.4
>
> https://issues.apache.org/jira/projects/CODEC/issues/CODEC-111?filter=allopenissues
> [codec] Base64.isArrayByteBase64() throws an
> ArrayIndexOutOfBoundsException for negative octets.
> affectsVersions:1.3
>
> https://issues.apache.org/jira/projects/CODEC/issues/CODEC-22?filter=allopenissues
> [codec] Source tarball spews files all over the place
> affectsVersions:1.3
>
> https://issues.apache.org/jira/projects/CODEC/issues/CODEC-6?filter=allopenissues
> Base64.encodeBase64() throws NegativeArraySizeException on large files
> affectsVersions:1.3
>
> https://issues.apache.org/jira/projects/CODEC/issues/CODEC-61?filter=allopenissues
> Fix case-insensitive string handling
> affectsVersions:1.3
>
> https://issues.apache.org/jira/projects/CODEC/issues/CODEC-65?filter=allopenissues
> Make string2byte conversions indepedent of platform default encoding
> affectsVersions:1.3
>
> https://issues.apache.org/jira/projects/CODEC/issues/CODEC-73?filter=allopenissues
> All links to fixed bugs in the "Changes Report"
> http://commons.apache.org/codec/changes-report.html point nowhere; e.g.
> http://issues.apache.org/jira/browse/34157. Looks as if all JIRA tickets were
> renumbered.
> affectsVersions:1.1;1.2;1.3;1.4
>
> https://issues.apache.org/jira/projects/CODEC/issues/CODEC-76?filter=allopenissues
> 12. org.slf4j slf4j-api
> version: 1.7.21
> Jira issues:
> Cannot re-initialize the SimpleLogger anymore.
> affectsVersions:1.7.21
> https://jira.qos.ch/projects/SLF4J/issues/SLF4J-370?filter=allopenissues
> Marker lost in EventRecodingLogger
> affectsVersions:1.7.21
> https://jira.qos.ch/projects/SLF4J/issues/SLF4J-379?filter=allopenissues
> Support for JCL 1.2
> affectsVersions:1.7.21
> https://jira.qos.ch/projects/SLF4J/issues/SLF4J-383?filter=allopenissues
> 13. commons-lang commons-lang
> version: 2.6
> Jira issues:
> Remove unnecessary synchronization from registry lookup in
> EqualsBuilder and HashCodeBuilder
> affectsVersions:2.6
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-1230?filter=allopenissues
> LocaleUtils - DCL idiom is not thread-safe
> affectsVersions:2.6
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-803?filter=allopenissues
> Exception when combining custom and choice format in
> ExtendedMessageFormat
> affectsVersions:2.5;2.6
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-917?filter=allopenissues
> 14. org.apache.commons commons-lang3
> version: 3.3
> Jira issues:
> SerializationUtils.ClassLoaderAwareObjectInputStream should use static
> initializer to initialize primitiveTypes map.
> affectsVersions:3.2;3.3;3.4
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-1251?filter=allopenissues
> Failing tests with Java 8 b128
> affectsVersions:3.3
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-978?filter=allopenissues
> NumberUtils#createNumber() returns positive BigDecimal when negative
> Float is expected
> affectsVersions:3.x
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-1087?filter=allopenissues
> 15. commons-lang commons-lang
> version: 2.5
> Jira issues:
> Testing with JDK 1.7
> affectsVersions:2.5
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-593?filter=allopenissues
> Some StringUtils methods should take an int character instead of char
> to use String API features.
> affectsVersions:2.5
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-608?filter=allopenissues
> SystemUtils.getJavaVersionAsFloat throws
> StringIndexOutOfBoundsException on Android runtime/Dalvik VM
> affectsVersions:2.5
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-624?filter=allopenissues
> NumberUtils createNumber throws a StringIndexOutOfBoundsException when
> argument containing "e" and "E" is passed in
> affectsVersions:2.5
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-638?filter=allopenissues
> FastDateFormat.format() outputs incorrect week of year because locale
> isn't respected
> affectsVersions:2.5
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-645?filter=allopenissues
> Exception when combining custom and choice format in
> ExtendedMessageFormat
> affectsVersions:2.5;2.6
>
> https://issues.apache.org/jira/projects/LANG/issues/LANG-917?filter=allopenissues
> Sincerely~
> FDU Software Engineering Lab
> Feb 15th,2019
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
