[ https://issues.apache.org/jira/browse/STORM-3338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Richard Zowalla closed STORM-3338. ---------------------------------- Resolution: Won't Fix There were a lot of updates since 2019. Closing this now. > Your project apache/storm is using buggy third-party libraries [WARNING] > ------------------------------------------------------------------------ > > Key: STORM-3338 > URL: https://issues.apache.org/jira/browse/STORM-3338 > Project: Apache Storm > Issue Type: Bug > Reporter: Kaifeng Huang > Priority: Major > > Hi, there! > We are a research team working on third-party library analysis. We have > found that some widely-used third-party libraries in your project have > major/critical bugs, which will degrade the quality of your project. We > highly recommend you to update those libraries to new versions. > We have attached the buggy third-party libraries and corresponding jira > issue links below for you to have more detailed information. > 1. commons-io commons-io > version: 2.6 > Jira issues: > .gitattributes not correctly applied > affectsVersions:2.6 > > https://issues.apache.org/jira/projects/IO/issues/IO-516?filter=allopenissues > FilenameUtils.normalize should verify hostname syntax in UNC path > affectsVersions:2.6 > > https://issues.apache.org/jira/projects/IO/issues/IO-559?filter=allopenissues > Missing Javadoc in FilenameUtils causing Travis-CI build to fail > affectsVersions:2.6 > > https://issues.apache.org/jira/projects/IO/issues/IO-570?filter=allopenissues > 2. commons-codec commons-codec > version: 1.11 > Jira issues: > InputStream not closed > affectsVersions:1.10,1.11 > > https://issues.apache.org/jira/projects/CODEC/issues/CODEC-225?filter=allopenissues > 3. org.apache.logging.log4j log4j-core > version: 2.11.1 > Jira issues: > NameAbbreviator skips first fragments > affectsVersions:2.11.0,2.11.1 > > https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2365?filter=allopenissues > Predeployment of PersistenceUnit that using Log4j as session logger > failed (#198) > affectsVersions:2.11.1 > > https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2397?filter=allopenissues > Exceptions are added to all columns when a JDBC Appender's > ColumnMapping uses a Pattern > affectsVersions:2.11.1 > > https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2413?filter=allopenissues > NullPointerException when closing never used > RollingRandomAccessFileAppender > affectsVersions:2.10.0,2.11.1 > > https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2418?filter=allopenissues > AbstractAppender.setHandler(null) should not set a null ErrorHandler > affectsVersions:3.0.0,2.11.1 > > https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2441?filter=allopenissues > ErrorHandler should be invoked with the failing LogEvent when possible > affectsVersions:3.0.0,2.11.1 > > https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2444?filter=allopenissues > RollingRandomAccessFileManager ignores new file patterns from > programmatic reconfiguration > affectsVersions:2.11.1 > > https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2457?filter=allopenissues > ColumnMapping literal not working > affectsVersions:2.11.1 > > https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2466?filter=allopenissues > org.apache.log4j.SimpleLayout and ConsoleAppender missing in > log4j-1.2-api > affectsVersions:2.11.1 > > https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2476?filter=allopenissues > BasicContextSelector cannot be used in a OSGI application > affectsVersions:2.11.1 > > https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2482?filter=allopenissues > 4. org.apache.httpcomponents httpclient > version: 4.5.6 > Jira issues: > Support relatively new HTTP 308 redirect - RFC7538 > affectsVersions:3.1 (end of life),4.5.6 > > https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1946?filter=allopenissues > 5. org.apache.httpcomponents httpclient > version: 4.5 > Jira issues: > NTLM auth failed because NTLMEngineImpl strip domain to base domain name > affectsVersions:4.5 > > https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1662?filter=allopenissues > RequestBuilder ignores Charset > affectsVersions:4.5 > > https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1667?filter=allopenissues > connectTimeout used as socketTimeout in Request > affectsVersions:4.5 > > https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1668?filter=allopenissues > org.apache.http.entity.mime.content is missing from exports of OSGi > bundle > affectsVersions:4.5 > > https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1673?filter=allopenissues > 307 redirect throws ClientProtocolException using POST method > affectsVersions:4.5 > > https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1680?filter=allopenissues > ZipException occurs when content-encoding-header is set for > 304-response > affectsVersions:4.5 > > https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1690?filter=allopenissues > OSGiRoutePlanner examines only the first proxy exception and also > crashes processing IP address exception > affectsVersions:4.4.1;4.5;5.0 > > https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1710?filter=allopenissues > > org.apache.http.impl.client.AbstractHttpClient#createClientConnectionManager > Does not account for context class loader > affectsVersions:4.4.1;4.5;4.5.1;4.5.2 > > https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1727?filter=allopenissues > PoolingHttpClientConnectionManager has no option to close long leased > connections > affectsVersions:4.4.1;4.5 > > https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1760?filter=allopenissues > 6. org.apache.httpcomponents httpclient > version: 4.5.2 > Jira issues: > > org.apache.http.impl.client.AbstractHttpClient#createClientConnectionManager > Does not account for context class loader > affectsVersions:4.4.1;4.5;4.5.1;4.5.2 > > https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1727?filter=allopenissues > Memory Leak in OSGi support > affectsVersions:4.4.1;4.5.2 > > https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1749?filter=allopenissues > SystemDefaultRoutePlanner: Possible null pointer dereference > affectsVersions:4.5.2 > > https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1766?filter=allopenissues > Null pointer dereference in EofSensorInputStream and ResponseEntityProxy > affectsVersions:4.5.2 > > https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1767?filter=allopenissues > [OSGi] WeakList needs to support "clear" method > affectsVersions:4.5.2;5.0 Alpha1 > > https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1772?filter=allopenissues > [OSGi] HttpProxyConfigurationActivator does not unregister > HttpClientBuilderFactory > affectsVersions:4.5.2 > > https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1773?filter=allopenissues > Why is Retry around Redirect and not the other way round > affectsVersions:4.5.2 > > https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1800?filter=allopenissues > 7. commons-cli commons-cli > version: 1.2 > Jira issues: > Unable to select a pure long option in a group > affectsVersions:1.0;1.1;1.2 > > https://issues.apache.org/jira/projects/CLI/issues/CLI-182?filter=allopenissues > Clear the selection from the groups before parsing > affectsVersions:1.0;1.1;1.2 > > https://issues.apache.org/jira/projects/CLI/issues/CLI-183?filter=allopenissues > Commons CLI incorrectly stripping leading and trailing quotes > affectsVersions:1.1;1.2 > > https://issues.apache.org/jira/projects/CLI/issues/CLI-185?filter=allopenissues > Coding error: OptionGroup.setSelected causes > java.lang.NullPointerException > affectsVersions:1.2 > > https://issues.apache.org/jira/projects/CLI/issues/CLI-191?filter=allopenissues > StringIndexOutOfBoundsException in HelpFormatter.findWrapPos > affectsVersions:1.2 > > https://issues.apache.org/jira/projects/CLI/issues/CLI-193?filter=allopenissues > HelpFormatter strips leading whitespaces in the footer > affectsVersions:1.2 > > https://issues.apache.org/jira/projects/CLI/issues/CLI-207?filter=allopenissues > OptionBuilder only has static methods; yet many return an OptionBuilder > instance > affectsVersions:1.2 > > https://issues.apache.org/jira/projects/CLI/issues/CLI-224?filter=allopenissues > Unable to properly require options > affectsVersions:1.2 > > https://issues.apache.org/jira/projects/CLI/issues/CLI-230?filter=allopenissues > OptionValidator Implementation Does Not Agree With JavaDoc > affectsVersions:1.2 > > https://issues.apache.org/jira/projects/CLI/issues/CLI-241?filter=allopenissues > 8. commons-collections commons-collections > version: 3.2.1 > Jira issues: > Inconsistent Javadoc comment and code in addIgnoreNull(Collection<T>; > T) in org.apache.commons.collections.CollectionUtils > affectsVersions:3.2.1 > > https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-400?filter=allopenissues > ListUtils.subtract is very slow > affectsVersions:3.2.1 > > https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-406?filter=allopenissues > ListOrderedSet.removeAll() is slow > affectsVersions:3.2.1 > > https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-407?filter=allopenissues > ListOrderedSet.addAll() is very slow > affectsVersions:3.2.1 > > https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-409?filter=allopenissues > Performance problem in DualHashBidiMap > affectsVersions:3.2.1 > > https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-413?filter=allopenissues > AbstractLinkedList.removeAll() is very slow > affectsVersions:3.2.1 > > https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-415?filter=allopenissues > AbstractLinkedList.retainAll() is very slow > affectsVersions:3.2.1 > > https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-417?filter=allopenissues > Surprising exception by CompositeSet in a situation where > CompositeCollection works fine > affectsVersions:3.2.1 > > https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-424?filter=allopenissues > performance problem in ListOrderedMap.remove() > affectsVersions:3.2.1 > > https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-425?filter=allopenissues > performance problem in ListOrderedSet.retainAll() > affectsVersions:3.2.1 > > https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-426?filter=allopenissues > performance problem in SetUniqueList.retainAll() > affectsVersions:3.2.1 > > https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-427?filter=allopenissues > SetUniqueList may become inconsistent > affectsVersions:3.2.1 > > https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-444?filter=allopenissues > findBugs Warnings: several classes in package functors may expose their > internal representation > affectsVersions:3.2.1 > > https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-453?filter=allopenissues > findBugs Warning: Flat3Map - 3 iterators which are "both an Iterator > and a Map.Entry" > affectsVersions:3.2.1 > > https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-454?filter=allopenissues > wasted work in AbstractMapBag.containsAll() > affectsVersions:3.2.1 > > https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-472?filter=allopenissues > ListOrderedSet can have duplicates > affectsVersions:3.2.1;4.0 > > https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-524?filter=allopenissues > ExtendedProperties causes AccessControlException when framework is > called from a script > affectsVersions:3.2.1 > > https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS-538?filter=allopenissues > 9. commons-io commons-io > version: 1.4 > Jira issues: > FileCleaningTrackerTestCase hangs > affectsVersions:1.4 > > https://issues.apache.org/jira/projects/IO/issues/IO-161?filter=allopenissues > Fix case-insensitive string handling > affectsVersions:1.4 > > https://issues.apache.org/jira/projects/IO/issues/IO-167?filter=allopenissues > Symbolic links (symlinks) followed when deleting directory. > affectsVersions:1.4 > > https://issues.apache.org/jira/projects/IO/issues/IO-168?filter=allopenissues > StringIndexOutOfBounds exception on FilenameUtils.getPathNoEndSeparator > affectsVersions:1.3.2;1.4 > > https://issues.apache.org/jira/projects/IO/issues/IO-179?filter=allopenissues > FileSystemUtils.freeSpaceWindows blocks > affectsVersions:1.4 > > https://issues.apache.org/jira/projects/IO/issues/IO-185?filter=allopenissues > FileSystemUtils.freeSpaceKb doesn't work with relative paths on Linux > affectsVersions:1.2;1.3;1.3.1;1.3.2;1.4 > > https://issues.apache.org/jira/projects/IO/issues/IO-187?filter=allopenissues > CountingInputStream/CountingOutputStream only partially synchronized > affectsVersions:1.4 > > https://issues.apache.org/jira/projects/IO/issues/IO-201?filter=allopenissues > NotFileFilter documentation is incorrect > affectsVersions:1.4 > > https://issues.apache.org/jira/projects/IO/issues/IO-202?filter=allopenissues > Manifest for OSGi has invalid syntax > affectsVersions:1.4 > > https://issues.apache.org/jira/projects/IO/issues/IO-204?filter=allopenissues > FileSystemUtils.freeSpaceKb fails to return correct size for a windows > mount point > affectsVersions:1.4;2.0;3.x > > https://issues.apache.org/jira/projects/IO/issues/IO-209?filter=allopenissues > Delete files quietly when an exception is thrown during initialization > affectsVersions:1.4 > > https://issues.apache.org/jira/projects/IO/issues/IO-216?filter=allopenissues > FileUtils.copyDirectoryToDirectory makes infinite loops > affectsVersions:1.4 > > https://issues.apache.org/jira/projects/IO/issues/IO-217?filter=allopenissues > FileCleaningTracker Vector performs badly under load > affectsVersions:1.0;1.1;1.2;1.3;1.3.1;1.3.2;1.4;2.0;3.x > > https://issues.apache.org/jira/projects/IO/issues/IO-220?filter=allopenissues > IOUtils.copy Javadoc inconsistency (return -1 vs. throw > ArithmeticException) > affectsVersions:1.3;1.3.1;1.3.2;1.4 > > https://issues.apache.org/jira/projects/IO/issues/IO-223?filter=allopenissues > FileUtils generate wrong exception message in isFileNewer method > affectsVersions:1.4 > > https://issues.apache.org/jira/projects/IO/issues/IO-231?filter=allopenissues > 10. commons-io commons-io > version: 2.5 > Jira issues: > ant test fails - resources missing from test classpath > affectsVersions:2.5 > > https://issues.apache.org/jira/projects/IO/issues/IO-451?filter=allopenissues > Exceptions are suppressed incorrectly when copying files. > affectsVersions:2.4;2.5 > > https://issues.apache.org/jira/projects/IO/issues/IO-502?filter=allopenissues > ThresholdingOutputStream.thresholdReached() results in > FileNotFoundException > affectsVersions:2.5 > > https://issues.apache.org/jira/projects/IO/issues/IO-512?filter=allopenissues > Tailer.run race condition runaway logging > affectsVersions:2.5 > > https://issues.apache.org/jira/projects/IO/issues/IO-528?filter=allopenissues > Thread bug in FileAlterationMonitor#stop(int) > affectsVersions:2.5 > > https://issues.apache.org/jira/projects/IO/issues/IO-535?filter=allopenissues > 2.5 ExceptionInInitializerError > affectsVersions:2.5 > > https://issues.apache.org/jira/projects/IO/issues/IO-536?filter=allopenissues > 11. commons-codec commons-codec > version: 1.3 > Jira issues: > [codec] Using US_ENGLISH static in Soundex causes NPE > affectsVersions:1.3 > > https://issues.apache.org/jira/projects/CODEC/issues/CODEC-10?filter=allopenissues > org.apache.commons.codec.net.URLCodec.ESCAPE_CHAR isn't final but > should be > affectsVersions:1.2;1.3;1.4 > > https://issues.apache.org/jira/projects/CODEC/issues/CODEC-111?filter=allopenissues > [codec] Base64.isArrayByteBase64() throws an > ArrayIndexOutOfBoundsException for negative octets. > affectsVersions:1.3 > > https://issues.apache.org/jira/projects/CODEC/issues/CODEC-22?filter=allopenissues > [codec] Source tarball spews files all over the place > affectsVersions:1.3 > > https://issues.apache.org/jira/projects/CODEC/issues/CODEC-6?filter=allopenissues > Base64.encodeBase64() throws NegativeArraySizeException on large files > affectsVersions:1.3 > > https://issues.apache.org/jira/projects/CODEC/issues/CODEC-61?filter=allopenissues > Fix case-insensitive string handling > affectsVersions:1.3 > > https://issues.apache.org/jira/projects/CODEC/issues/CODEC-65?filter=allopenissues > Make string2byte conversions indepedent of platform default encoding > affectsVersions:1.3 > > https://issues.apache.org/jira/projects/CODEC/issues/CODEC-73?filter=allopenissues > All links to fixed bugs in the "Changes Report" > http://commons.apache.org/codec/changes-report.html point nowhere; e.g. > http://issues.apache.org/jira/browse/34157. Looks as if all JIRA tickets were > renumbered. > affectsVersions:1.1;1.2;1.3;1.4 > > https://issues.apache.org/jira/projects/CODEC/issues/CODEC-76?filter=allopenissues > 12. org.slf4j slf4j-api > version: 1.7.21 > Jira issues: > Cannot re-initialize the SimpleLogger anymore. > affectsVersions:1.7.21 > https://jira.qos.ch/projects/SLF4J/issues/SLF4J-370?filter=allopenissues > Marker lost in EventRecodingLogger > affectsVersions:1.7.21 > https://jira.qos.ch/projects/SLF4J/issues/SLF4J-379?filter=allopenissues > Support for JCL 1.2 > affectsVersions:1.7.21 > https://jira.qos.ch/projects/SLF4J/issues/SLF4J-383?filter=allopenissues > 13. commons-lang commons-lang > version: 2.6 > Jira issues: > Remove unnecessary synchronization from registry lookup in > EqualsBuilder and HashCodeBuilder > affectsVersions:2.6 > > https://issues.apache.org/jira/projects/LANG/issues/LANG-1230?filter=allopenissues > LocaleUtils - DCL idiom is not thread-safe > affectsVersions:2.6 > > https://issues.apache.org/jira/projects/LANG/issues/LANG-803?filter=allopenissues > Exception when combining custom and choice format in > ExtendedMessageFormat > affectsVersions:2.5;2.6 > > https://issues.apache.org/jira/projects/LANG/issues/LANG-917?filter=allopenissues > 14. org.apache.commons commons-lang3 > version: 3.3 > Jira issues: > SerializationUtils.ClassLoaderAwareObjectInputStream should use static > initializer to initialize primitiveTypes map. > affectsVersions:3.2;3.3;3.4 > > https://issues.apache.org/jira/projects/LANG/issues/LANG-1251?filter=allopenissues > Failing tests with Java 8 b128 > affectsVersions:3.3 > > https://issues.apache.org/jira/projects/LANG/issues/LANG-978?filter=allopenissues > NumberUtils#createNumber() returns positive BigDecimal when negative > Float is expected > affectsVersions:3.x > > https://issues.apache.org/jira/projects/LANG/issues/LANG-1087?filter=allopenissues > 15. commons-lang commons-lang > version: 2.5 > Jira issues: > Testing with JDK 1.7 > affectsVersions:2.5 > > https://issues.apache.org/jira/projects/LANG/issues/LANG-593?filter=allopenissues > Some StringUtils methods should take an int character instead of char > to use String API features. > affectsVersions:2.5 > > https://issues.apache.org/jira/projects/LANG/issues/LANG-608?filter=allopenissues > SystemUtils.getJavaVersionAsFloat throws > StringIndexOutOfBoundsException on Android runtime/Dalvik VM > affectsVersions:2.5 > > https://issues.apache.org/jira/projects/LANG/issues/LANG-624?filter=allopenissues > NumberUtils createNumber throws a StringIndexOutOfBoundsException when > argument containing "e" and "E" is passed in > affectsVersions:2.5 > > https://issues.apache.org/jira/projects/LANG/issues/LANG-638?filter=allopenissues > FastDateFormat.format() outputs incorrect week of year because locale > isn't respected > affectsVersions:2.5 > > https://issues.apache.org/jira/projects/LANG/issues/LANG-645?filter=allopenissues > Exception when combining custom and choice format in > ExtendedMessageFormat > affectsVersions:2.5;2.6 > > https://issues.apache.org/jira/projects/LANG/issues/LANG-917?filter=allopenissues > Sincerely~ > FDU Software Engineering Lab > Feb 15th,2019 -- This message was sent by Atlassian Jira (v8.20.10#820010)