Ran Tao created FLINK-30274:
-------------------------------
Summary: Add commons-collections4 to replace commons-collections
3.x
Key: FLINK-30274
URL: https://issues.apache.org/jira/browse/FLINK-30274
Project: Flink
Issue Type: Improvement
Components: Build System
Affects Versions: 1.16.0
Reporter: Ran Tao
Attachments: image-2022-12-02-16-40-22-172.png
First, Apache commons-collections 3.x is a Java 1.3 compatible version, and it
does not use Java 5 generics. Apache commons-collections4 4.4 is an upgraded
version of commons-collections and it built by Java 8.
Second, Apache commons-collections 3.x is vulnerable. see
[Cx78f40514-81ff|https://devhub.checkmarx.com/cve-details/Cx78f40514-81ff/?utm_source=jetbrains&utm_medium=referral&utm_campaign=idea]
We can upgrade this dependency, but i found that currently 3.x was used by
flink-core many places. So at least we need offer commons-collections4 support
to forbid next usages.
The Apache Spark has same issue: https://github.com/apache/spark/pull/35257
!image-2022-12-02-16-40-22-172.png|thumbnail!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
