You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@rocketmq.apache.org by GitBox <gi...@apache.org> on 2019/01/07 02:11:45 UTC
[GitHub] FDU-SE-LAB opened a new issue #666: Your project apache/rocketmq is
using buggy third-party libraries [WARNING]
FDU-SE-LAB opened a new issue #666: Your project apache/rocketmq is using buggy third-party libraries [WARNING]
URL: https://github.com/apache/rocketmq/issues/666
Hi, there!
We are a research team working on third-party library analysis. We have found that some widely-used third-party libraries in your project have major/critical bugs, which will degrade the quality of your project. We highly recommend you to update those libraries to new versions.
We have attached the buggy third-party libraries and corresponding jira issue links below for you to have more detailed information.
1 commons-cli commons-cli (pom.xml)
version: 1.2
Jira issues:
Unable to select a pure long option in a group
affectsVersions:1.0;1.1;1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-182?filter=allopenissues
Clear the selection from the groups before parsing
affectsVersions:1.0;1.1;1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-183?filter=allopenissues
Commons CLI incorrectly stripping leading and trailing quotes
affectsVersions:1.1;1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-185?filter=allopenissues
Coding error: OptionGroup.setSelected causes java.lang.NullPointerException
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-191?filter=allopenissues
StringIndexOutOfBoundsException in HelpFormatter.findWrapPos
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-193?filter=allopenissues
HelpFormatter strips leading whitespaces in the footer
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-207?filter=allopenissues
OptionBuilder only has static methods; yet many return an OptionBuilder instance
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-224?filter=allopenissues
Unable to properly require options
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-230?filter=allopenissues
OptionValidator Implementation Does Not Agree With JavaDoc
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-241?filter=allopenissues
2 org.apache.logging.log4j log4j-core (pom.xml)
version: 2.7
Jira issues:
ClassCastException at shutdown with JUL: casting SimpleLogger to Logger
affectsVersions:2.6.2;2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1618?filter=allopenissues
OSGi support is broken in Log4j2 2.7
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1637?filter=allopenissues
RollingFileAppender with CronTriggeringPolicy broken?
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1640?filter=allopenissues
DefaultShutdownCallbackRegistry can throw a NoClassDefFoundError
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1642?filter=allopenissues
CronTriggeringPolicy breaks awefully when using "reconfigure" of LoggerContext
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1649?filter=allopenissues
CronTriggeringPolicy uses wrong naming and produces NPE
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1653?filter=allopenissues
2.7 - ThreadContextAccess.getThreadContextMap NPE when specifying BasicContextSelector
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1658?filter=allopenissues
Some LogEvents may not carry a Throwable (Use Message.getThrowable() in log(Message) methods)
affectsVersions:2.5;2.6;2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1676?filter=allopenissues
Logger using LocalizedMessageFactory prints key instead of message
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1682?filter=allopenissues
NPE in ThrowableProxy when resolving stack in Java EE/OSGi environment
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1687?filter=allopenissues
Message parameter array elements are set to null during logging in garbage-free mode
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1688?filter=allopenissues
StringBuilderFormattable Messages should used cached formatted message if it exists
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1719?filter=allopenissues
RollingFileAppender's filePattern not reloaded when using monitorInterval
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1725?filter=allopenissues
SslSocketManager should respect connectTimeoutMillis
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1731?filter=allopenissues
SslSocketManagerFactory might leak Sockets when certain startup errors occur
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1734?filter=allopenissues
Update Jackson from 2.8.4 to 2.8.5
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1735?filter=allopenissues
TcpSocketManagerFactory might leak Sockets when certain startup errors occur
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1736?filter=allopenissues
Add CronTriggeringPolicy programmatically leads to NPE
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1740?filter=allopenissues
CompositeConfiguration does not add filters to appenderRefs
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1743?filter=allopenissues
Custom logger Generate tool should not require log4j-api dependency
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1744?filter=allopenissues
RollingFile appender prevents a stand alone application to terminate for as long as 60 sec
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1748?filter=allopenissues
Adds xmlns in schema and some other tags
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1756?filter=allopenissues
JsonLayout Throwing Exceptions And Producing Broken Logs
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1769?filter=allopenissues
Eliminate the use of the ExecutorServices in the LoggerContext
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1780?filter=allopenissues
API Version is incorrect
affectsVersions:2.6;2.6.1;2.6.2;2.7;2.8;2.8.1
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1836?filter=allopenissues
AsyncLogger and message formatting (ConcurrentModificationException)
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1914?filter=allopenissues
Configurations with multiple root loggers should fail loudly
affectsVersions:2.0;2.1;2.2;2.3;2.4;2.5;2.6;2.7;2.8
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1954?filter=allopenissues
TcpSocketServer does not replace any “{}” in message
affectsVersions:2.6.2;2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1969?filter=allopenissues
Log4J JUL Bridge and RMI Security Manager causes access denied ("java.util.logging.LoggingPermission" "control")
affectsVersions:2.7;2.8.2
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1987?filter=allopenissues
No compression when using a separate drive in Linux
affectsVersions:2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2012?filter=allopenissues
Configuration builder classes should look for "onMismatch"; not "onMisMatch".
affectsVersions:2.4;2.4.1;2.5;2.6;2.6.1;2.6.2;2.7;2.8;2.8.1;2.8.2;2.9.0;2.10.0
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2219?filter=allopenissues
fix the CacheEntry map in ThrowableProxy#toExtendedStackTrace to be put and gotten with same key
affectsVersions:2.6.2;2.7;2.8;2.8.1;2.8.2;2.9.0;2.9.1;2.10.0;2.11.0
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2389?filter=allopenissues
3 ch.qos.logback logback-classic (pom.xml)
version: 1.0.13
Jira issues:
Prudent FileAppender is stopped if a thread is ever interrupted prior to a logging call
affectsVersions:1.0.13
https://jira.qos.ch/projects/LOGBACK/issues/LOGBACK-875?filter=allopenissues
Deadlock in RollingFileAppender
affectsVersions:1.0.13
https://jira.qos.ch/projects/LOGBACK/issues/LOGBACK-891?filter=allopenissues
SocketAppender causes Deadlock
affectsVersions:1.0.13
https://jira.qos.ch/projects/LOGBACK/issues/LOGBACK-896?filter=allopenissues
SMTPAppender synchronization problem in Asynchronous mode
affectsVersions:1.0.13
https://jira.qos.ch/projects/LOGBACK/issues/LOGBACK-909?filter=allopenissues
AsyncAppenderBase swallows InterruptedException
affectsVersions:1.0.13
https://jira.qos.ch/projects/LOGBACK/issues/LOGBACK-910?filter=allopenissues
LoggerEvents are lost when sending over the SocketAppender
affectsVersions:1.0.13
https://jira.qos.ch/projects/LOGBACK/issues/LOGBACK-942?filter=allopenissues
SyslogAppenderBase.stop() should check for non-null syslog output stream (sos) before calling close()
affectsVersions:1.0.13
https://jira.qos.ch/projects/LOGBACK/issues/LOGBACK-960?filter=allopenissues
4 org.apache.commons commons-lang3 (pom.xml)
version: 3.4
Jira issues:
TypeUtils.ParameterizedType#equals doesn't work with wildcard types
affectsVersions:3.3.2;3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1114?filter=allopenissues
DateUtilsTest.testLang530 fails for some timezones
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1116?filter=allopenissues
StringUtils.stripAccents from "Ł" and "ł"
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1120?filter=allopenissues
JsonToStringStyle doesn't handle chars and objects correctly
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1128?filter=allopenissues
ReflectionToStringBuilder doesn't throw IllegalArgumentException when the constructor's object param is null
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1132?filter=allopenissues
StrLookup.systemPropertiesLookup() no longer reacts on changes on system properties
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1141?filter=allopenissues
StringUtils#capitalize: Javadoc says toTitleCase; code uses toUpperCase
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1142?filter=allopenissues
Multiple calls of org.apache.commons.lang3.concurrent.LazyInitializer.initialize() are possible
affectsVersions:3.4;3.5
https://issues.apache.org/jira/projects/LANG/issues/LANG-1144?filter=allopenissues
EnumUtils *BitVector issue with more than 32 values Enum
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1147?filter=allopenissues
StringUtils#equals fails with Index OOBE on non-Strings with identical leading prefix
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1162?filter=allopenissues
There are no tests for CharSequenceUtils.regionMatches
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1163?filter=allopenissues
ArrayUtils.removeAll(Object array; int... indices) should do the clone; not its callers
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1178?filter=allopenissues
TypeUtils.isAssignable throws NullPointerException when fromType has type variables and toType generic superclass specifies type variable
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1190?filter=allopenissues
FastDateFormat does not support the week-year component (uppercase 'Y')
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1192?filter=allopenissues
ordinalIndexOf("abc"; "ab"; 1) gives incorrect answer of -1 (correct answer should be 0)
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1193?filter=allopenissues
Fix implementation of StringUtils.getJaroWinklerDistance()
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1199?filter=allopenissues
parseDateStrictly does't pass specified locale
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1202?filter=allopenissues
ClassUtils.getClass(ClassLoader; String) fails for "void"
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1214?filter=allopenissues
NumberUtils.isNumber bug
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1216?filter=allopenissues
FastDateFormat doesn't respect summer daylight in localized strings
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1219?filter=allopenissues
StringUtils#normalizeSpace does not trim the string anymore
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1226?filter=allopenissues
DiffBuilder: Add null check on fieldName when appending Object or Object[]
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1232?filter=allopenissues
FastDatePrinter Memory allocation regression
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1248?filter=allopenissues
SerializationUtils.ClassLoaderAwareObjectInputStream should use static initializer to initialize primitiveTypes map.
affectsVersions:3.2;3.3;3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1251?filter=allopenissues
NumberUtils.isNumber and NumberUtils.createNumber resolve inconsistently
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1252?filter=allopenissues
ArrayUtils.contains returns false for instances of subtypes
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1261?filter=allopenissues
CompareToBuilder.append(Object;Object;Comparator) method is too big to be inlined
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1262?filter=allopenissues
StrBuilder#replaceAll ArrayIndexOutOfBoundsException
affectsVersions:3.2.1;3.4;3.5
https://issues.apache.org/jira/projects/LANG/issues/LANG-1276?filter=allopenissues
Sincerely~
FDU Software Engineering Lab
Jan 7th,2019
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services