Your project impetus-opensource Kundera is using buggy third-party libraries [WARNING]

[FDUSELAB2]

Hi, there!

We are a research team working on third-party library analysis. We have found that some widely-used third-party libraries in your project have major/critical bugs, which will degrade the quality of your project. We highly recommend you to update those libraries to new versions.

We have attached the buggy third-party libraries and corresponding jira issue links below for you to have more detailed information. We have analyzed the api call related to the following libraries and found one library that is using the API call that might invoke buggy methods in the library of the history.

1. commons-lang commons-lang version: 2.4 API call in your project:org.apache.commons.lang.builder.HashCodeBuilder.toIdentityHashCodeInteger(Object)

Jira issues: StringEscapeUtils.escapeJava(String) escapes '/' characters version:2.4 Fix case-insensitive string handling version:2.4 StringEscapeUtils.escapeHTML() does not escape chars (0x00-0x20) version:2.4 DateUtils.round doesn't work correct for Calendar.AM_PM version:2.4 Lower Ascii Characters don't get encoded by Entities.java version:2.4 Issue in HashCodeBuilder which only shows up under high load multi-threaded usage. version:2.4 Ant build file does not include ReflectTestSuite version:2.4 EqualsBuilder and HashCodeBuilder treat java.math.BigDecimal inconsistantly and break general contract of hashCode version:2.4 JDK 1.5 build/runtime failure on LANG-393 (EqualsBuilder) version:2.4 ExtendedMessageFormat: OutOfMemory with custom format registry and a pattern containing single quotes version:2.4 parseDate cannot parse ISO8601 dates produced by FastDateFormat version:2.4 DateFormatUtils.format does not correctly change Calendar TimeZone in certain situations version:2.4 StringUtils replaceEach - Bug or Missing Documentation version:2.4 Javadoc wrong for StringUtils startsWith; startsWithIgnoreCase; endsWith and endsWithIgnoreCase version:2.4 HashCodeBuilder reflectionAppend creates unnecessary copy of excludeFields version:2.4 ExceptionUtils uses mutable lock target version:2.4 ClassUtils.toClass(Object[]) throws NPE on null array element version:2.4 StringUtils lastIndexOf(String str; char searchChar; int startPos) not working version:2.4

2. org.apache.httpcomponents httpclient version: 4.2.6 Jira issues: ClientConnectionManager should honor context classloader version:4.2.6
3. commons-logging commons-logging version: 1.1.1 Jira issues: Unit tests fail on linux with java16 version:1.1.1 deadlock on re-registration of logger version:1.1.1 Potential missing privileged block for class loader version:1.1.1 Log4JLogger uses deprecated static members of Priority such as INFO version:1.1.1 LogFactory/LogFactoryImpl ingore Throwable version:1.1.1 LogFactory.nullClassLoaderFactory is not properly synchronized version:1.1.1 SimpleLog.log - unsafe update of shortLogName version:1.1.1 BufferedReader is not closed properly version:1.1.1;1.2
4. commons-io commons-io version: 2.4 Jira issues: IOUtils copyLarge() and skip() methods are performance hogs version:2.3;2.4 CharSequenceInputStream#reset() behaves incorrectly in case when buffer size is not dividable by data size version:2.4 [Tailer] InterruptedException while the thead is sleeping is silently ignored version:2.4 IOUtils.contentEquals* methods returns false if input1 == input2; should return true version:2.4 Apache Commons - standard links for documents are failing version:2.4 Links are broken on User Guide.... version:2.4 FileUtils.sizeOfDirectoryAsBigInteger can overflow version:2.4 Regression in FileUtils.readFileToString from 2.0.1 version:2.1;2.2;2.3;2.4 Correct exception message in FileUtils.getFile(File; String...) version:2.4 org.apache.commons.io.FileUtils#waitFor waits too long version:2.4 getPrefixLength return -1 if unix file contains colon version:2.4 FilenameUtils should handle embedded null bytes version:2.4 Exceptions are suppressed incorrectly when copying files. version:2.4;2.5
5. commons-codec commons-codec version: 1.2 Jira issues: org.apache.commons.codec.net.URLCodec.ESCAPE_CHAR isn't final but should be version:1.2;1.3;1.4 Change name of urldecode and urlencode in URLCodec version:1.2 Provide a package.html for org/apache/commons/codec/net version:1.2 [codec] Alterations to Binary.java and its unit test for 1.3 release version:1.2 [Codec] Default URL encoding logic broken version:1.2 Base64 chunked encoding not compliant with RFC 2045 section 2.1 CRLF version:1.2 [codec] Hex converts illegal characters to 255 version:1.2 All links to fixed bugs in the "Changes Report" http://commons.apache.org/codec/changes-report.html point nowhere; e.g. http://issues.apache.org/jira/browse/34157. Looks as if all JIRA tickets were renumbered. version:1.1;1.2;1.3;1.4
6. commons-codec commons-codec version: 1.8 Jira issues: Beider Morse does not close Scanners used to read config files. version:1.8

Sincerely~ FDU Software Engineering Lab Marth 14th,2019