Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Your project Huawei-Hadoop hindex is using buggy third-party libraries [WARNING] #62

Open
FDUSELAB2 opened this issue Mar 14, 2019 · 0 comments

Comments

@FDUSELAB2
Copy link

Hi, there!

We are a research team working on third-party library analysis. We have found that some widely-used third-party libraries in your project have major/critical bugs, which will degrade the quality of your project. We highly recommend you to update those libraries to new versions.

We have attached the buggy third-party libraries and corresponding jira issue links below for you to have more detailed information. We have analyzed the api call related to the following libraries and found one library that is using the API call that might invoke buggy methods in the library of the history.

  1. commons-logging commons-logging
    version: 1.1.1
    Jira issues:
    Unit tests fail on linux with java16
    deadlock on re-registration of logger
    Potential missing privileged block for class loader
    Log4JLogger uses deprecated static members of Priority such as INFO
    LogFactory/LogFactoryImpl ingore Throwable
    LogFactory.nullClassLoaderFactory is not properly synchronized
    SimpleLog.log - unsafe update of shortLogName
    BufferedReader is not closed properly
  2. commons-cli commons-cli
    version: 1.2
    Jira issues:
    Unable to select a pure long option in a group
    Clear the selection from the groups before parsing
    Commons CLI incorrectly stripping leading and trailing quotes
    Coding error: OptionGroup.setSelected causes java.lang.NullPointerException
    StringIndexOutOfBoundsException in HelpFormatter.findWrapPos
    HelpFormatter strips leading whitespaces in the footer
    OptionBuilder only has static methods; yet many return an OptionBuilder instance
    Unable to properly require options
    Download link gives HTTP/1.1 403 Forbidden
    OptionValidator Implementation Does Not Agree With JavaDoc
  3. commons-io commons-io
    version: 2.1
    Jira issues:
    Various methods of class 'org.apache.commons.io.FileUtils' incorrectly suppress 'java.io.IOException's.
    getPrefixLength returns null if filename has leading slashes
    ArrayIndexOutOfBoundsException in BOMInputStream when reading a file without BOM multiple times
    TeeOutputStream does not call branch.close() when main.close() throws an exception
    The second constructor of Tailer class does not pass 'delay' to the third one
    ReaderInputStream#read(byte[] b; int off; int len) should always return 0 for length == 0
    ReaderInputStream#read(byte[] b; int off; int len) should check for valid parameters
    FileUtils.sizeOfDirectory follows symbolic links.
    Regression in FileUtils.readFileToString from 2.0.1
  4. commons-codec commons-codec
    version: 1.4
    API call in your project:org.apache.commons.codec.binary.Base64.setInitialBuffer(byte[],int,int)

Jira issues:
Base64InputStream#read(byte[]) incorrectly returns 0 at end of any stream which is multiple of 3 bytes long
ArrayIndexOutOfBoundsException when doing multiple reads() on encoding Base64InputStream
Base64 encoding issue for larger avi files
org.apache.commons.codec.net.URLCodec.ESCAPE_CHAR isn't final but should be
org.apache.commons.codec.language.RefinedSoundex.US_ENGLISH_MAPPING should be package protected MALICIOUS_CODE
org.apache.commons.codec.language.Soundex.US_ENGLISH_MAPPING should be package protected MALICIOUS_CODE
Caverphone encodes names starting and ending with "mb" incorrectly.
All links to fixed bugs in the "Changes Report" http://commons.apache.org/codec/changes-report.html point nowhere; e.g. http://issues.apache.org/jira/browse/34157. Looks as if all JIRA tickets were renumbered.
Regression: Base64.encode(chunk=true) has bug when input length is multiple of 76
DigestUtils: MD5 checksum is not calculated correctly on linux64-platforms
new Base64().encode() appends a CRLF; and chunks results into 76 character lines
Base64 encode() method is no longer thread-safe; breaking clients using it as a shared BinaryEncoder
Base64 default constructor behaviour changed to enable chunking in 1.4
Base64InputStream causes NullPointerException on some input
Base64.encodeBase64String() shouldn't chunk
5. commons-lang commons-lang
version: 2.5
Jira issues:
Testing with JDK 1.7
Some StringUtils methods should take an int character instead of char to use String API features.
SystemUtils.getJavaVersionAsFloat throws StringIndexOutOfBoundsException on Android runtime/Dalvik VM
NumberUtils createNumber throws a StringIndexOutOfBoundsException when argument containing "e" and "E" is passed in
FastDateFormat.format() outputs incorrect week of year because locale isn't respected
RandomStringUtils.random(count; 0; 0; false; false; universe; random) always throws java.lang.ArrayIndexOutOfBoundsException
Exception when combining custom and choice format in ExtendedMessageFormat

Sincerely~
FDU Software Engineering Lab
Marth 14th,2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant