You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2019/01/07 06:42:38 UTC
[GitHub] FDU-SE-LAB opened a new issue #6812: Your project druid-io/druid is
using buggy third-party libraries [WARNING]
FDU-SE-LAB opened a new issue #6812: Your project druid-io/druid is using buggy third-party libraries [WARNING]
URL: https://github.com/apache/incubator-druid/issues/6812
Hi, there!
We are a research team working on third-party library analysis. We have found that some widely-used third-party libraries in your project have major/critical bugs, which will degrade the quality of your project. We highly recommend you to update those libraries to new versions.
We have attached the buggy third-party libraries and corresponding jira issue links below for you to have more detailed information.
1 org.apache.httpcomponents httpclient (pom in maven central)
version: 4.5.3
Jira issues:
Possible bug in URIBuilder
affectsVersions:4.5.3
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1831?filter=allopenissues
RuntimeException from WindowsNegotiateScheme: Unexpected token
affectsVersions:4.5.3
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1833?filter=allopenissues
DefaultServiceUnavailableRetryStrategy does not respect HttpEntity#isRepeatable
affectsVersions:4.5.3
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1865?filter=allopenissues
connection should revert to SocketConfig's soTimeout
affectsVersions:4.5.3
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1879?filter=allopenissues
NTLM authentication against ntlm.herokuapp.com
affectsVersions:4.5.3
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1881?filter=allopenissues
connection leak issue when OutOfMemory
affectsVersions:4.5.3;4.5.4;4.5.5
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1924?filter=allopenissues
org.apache.http.conn.ssl.SSLSocketFactory no longer throws ConnectTimeoutException
affectsVersions:4.5.3
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1940?filter=allopenissues
2 commons-cli commons-cli (pom.xml)
version: 1.2
Jira issues:
Unable to select a pure long option in a group
affectsVersions:1.0;1.1;1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-182?filter=allopenissues
Clear the selection from the groups before parsing
affectsVersions:1.0;1.1;1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-183?filter=allopenissues
Commons CLI incorrectly stripping leading and trailing quotes
affectsVersions:1.1;1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-185?filter=allopenissues
Coding error: OptionGroup.setSelected causes java.lang.NullPointerException
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-191?filter=allopenissues
StringIndexOutOfBoundsException in HelpFormatter.findWrapPos
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-193?filter=allopenissues
HelpFormatter strips leading whitespaces in the footer
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-207?filter=allopenissues
OptionBuilder only has static methods; yet many return an OptionBuilder instance
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-224?filter=allopenissues
Unable to properly require options
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-230?filter=allopenissues
OptionValidator Implementation Does Not Agree With JavaDoc
affectsVersions:1.2
https://issues.apache.org/jira/projects/CLI/issues/CLI-241?filter=allopenissues
3 commons-io commons-io (pom.xml)
version: 2.5
Jira issues:
ant test fails - resources missing from test classpath
affectsVersions:2.5
https://issues.apache.org/jira/projects/IO/issues/IO-451?filter=allopenissues
Exceptions are suppressed incorrectly when copying files.
affectsVersions:2.4;2.5
https://issues.apache.org/jira/projects/IO/issues/IO-502?filter=allopenissues
ThresholdingOutputStream.thresholdReached() results in FileNotFoundException
affectsVersions:2.5
https://issues.apache.org/jira/projects/IO/issues/IO-512?filter=allopenissues
Tailer.run race condition runaway logging
affectsVersions:2.5
https://issues.apache.org/jira/projects/IO/issues/IO-528?filter=allopenissues
Thread bug in FileAlterationMonitor#stop(int)
affectsVersions:2.5
https://issues.apache.org/jira/projects/IO/issues/IO-535?filter=allopenissues
2.5 ExceptionInInitializerError
affectsVersions:2.5
https://issues.apache.org/jira/projects/IO/issues/IO-536?filter=allopenissues
4 org.apache.logging.log4j log4j-core (pom.xml)
version: 2.5
Jira issues:
ThreadLocal leak [AsyncLogger$Info] on Tomcat when using AsyncLoggerContextSelector
affectsVersions:2.4;2.4.1;2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1172?filter=allopenissues
Memory leak from first loaded web app when log4j jars are in Tomcat's lib folder
affectsVersions:2.4.1;2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1176?filter=allopenissues
Initializing Logger during JVM shutdown fails with FATAL error
affectsVersions:2.4;2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1222?filter=allopenissues
Message instances are simply serialized. They mustn't.
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1226?filter=allopenissues
NullPointerException in MapLookup.lookup is the event is null
affectsVersions:2.4;2.4.1;2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1227?filter=allopenissues
Don't concatenate SYSLOG Messages
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1230?filter=allopenissues
org.apache.logging.log4j.core.appender.routing.IdlePurgePolicy not working correctly
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1235?filter=allopenissues
org.apache.logging.log4j.core.net.TcpSocketManager and other classes does not report internal exceptions to the status logger
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1238?filter=allopenissues
Faulty placeholder substitution in config xml
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1243?filter=allopenissues
PatternLayout Nano timestamp does not work
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1248?filter=allopenissues
Update Jackson from 2.6.4 to 2.7.0
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1249?filter=allopenissues
Update LMAX Disruptor from 3.3.2 to 3.3.4
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1253?filter=allopenissues
TlsSyslogFrame calculates message length incorrectly
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1260?filter=allopenissues
Log4jServletContextListener unnecessary exception
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1262?filter=allopenissues
log4j2.properties: monitorInterval has no effect
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1263?filter=allopenissues
AsyncLogger should use thread-local translator by default
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1269?filter=allopenissues
Logger methods taking Supplier<?> parameters should check if supplied value is Message
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1280?filter=allopenissues
Change flow logging text from "entry' to "Enter" and "exit" to "Exit"
affectsVersions:2.0;2.0.1;2.0.2;2.1;2.2;2.3;2.4;2.4.1;2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1289?filter=allopenissues
Update Kafka client from 0.9.0.0 to 0.9.0.1
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1294?filter=allopenissues
Remove serializability from classes that don't need it
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1300?filter=allopenissues
Configuration file error does not show cause exception
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1309?filter=allopenissues
JndiLookup mindlessly casts to String and should use String.valueOf()
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1310?filter=allopenissues
SocketAppender will lose several events after re-connection to server
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1311?filter=allopenissues
<Property name="" value="" /> not working
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1313?filter=allopenissues
LoggerContext#getLogger causes heavy GC overhead
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1318?filter=allopenissues
Custom plugins are not loaded; URL protocol vfs is not supported
affectsVersions:2.5;2.6.2
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1320?filter=allopenissues
LoggerFactory in 1.2 API module is not compatible with 1.2
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1336?filter=allopenissues
AsyncLogger should not call instanceof TimestampMessage in hot path
affectsVersions:2.0.1;2.0.2;2.1;2.2;2.3;2.4;2.4.1;2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1339?filter=allopenissues
includeLocation doesn't work when using PropertiesConfiguration
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1363?filter=allopenissues
Status logger drops/ignores exception
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1368?filter=allopenissues
"xz" compression results in plaintext; uncompressed files.
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1369?filter=allopenissues
Update Jackson 2.7.3 to 2.7.4
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1380?filter=allopenissues
Memory leak related to shutdown hook
affectsVersions:2.5
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1387?filter=allopenissues
NPE in Level.isInRange
affectsVersions:2.4;2.4.1;2.5;2.6;2.6.1;2.6.2
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1559?filter=allopenissues
Some LogEvents may not carry a Throwable (Use Message.getThrowable() in log(Message) methods)
affectsVersions:2.5;2.6;2.7
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1676?filter=allopenissues
Configurations with multiple root loggers should fail loudly
affectsVersions:2.0;2.1;2.2;2.3;2.4;2.5;2.6;2.7;2.8
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-1954?filter=allopenissues
Configuration builder classes should look for "onMismatch"; not "onMisMatch".
affectsVersions:2.4;2.4.1;2.5;2.6;2.6.1;2.6.2;2.7;2.8;2.8.1;2.8.2;2.9.0;2.10.0
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2219?filter=allopenissues
5 commons-lang commons-lang (pom.xml)
version: 2.6
Jira issues:
Remove unnecessary synchronization from registry lookup in EqualsBuilder and HashCodeBuilder
affectsVersions:2.6
https://issues.apache.org/jira/projects/LANG/issues/LANG-1230?filter=allopenissues
LocaleUtils - DCL idiom is not thread-safe
affectsVersions:2.6
https://issues.apache.org/jira/projects/LANG/issues/LANG-803?filter=allopenissues
Exception when combining custom and choice format in ExtendedMessageFormat
affectsVersions:2.5;2.6
https://issues.apache.org/jira/projects/LANG/issues/LANG-917?filter=allopenissues
Sincerely~
FDU Software Engineering Lab
Jan 7th,2019
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org