search

reficio / soap-ws

Java library, based on Spring-WS, that enables handling SOAP on a purely XML level
297 stars 145 forks source link

Your project reficio soap-ws is using buggy third-party libraries [WARNING] #63

Open FDUSELAB2 opened 5 years ago

FDUSELAB2 commented 5 years ago

Hi, there!

We are a research team working on third-party library analysis. We have found that some widely-used third-party libraries in your project have major/critical bugs, which will degrade the quality of your project. We highly recommend you to update those libraries to new versions.

We have attached the buggy third-party libraries and corresponding jira issue links below for you to have more detailed information. We have analyzed the api call related to the following libraries and found one library that is using the API call that might invoke buggy methods in the library of the history.

  1. org.apache.httpcomponents httpclient version: 4.2.3 API call in your project:org.apache.http.conn.ssl.SSLSocketFactory.createDefaultSSLContext()

Jira issues: GzipDecompressingEntity does not release InputStream when an IOException occurs while reading the Gzip header version:4.2.2;4.2.3 Unable to shutdown executor service used by AsynchronousValidator version:4.2.3 FileNotFoundException on Cached Variant version:4.2.3;4.2.4;4.3 Beta1 HttpClient -> local address binding does not work correctly version:4.2.3 Certificate verification rejects IPv6 addresses which are not String-equal version:4.2.3 SSLSocketFactory.createSystemSSLContext causes java.security.UnrecoverableKeyException: Password verification failed version:4.2.2;4.2.3;4.2.4;4.3 Alpha1;4.3 Beta1;4.3 Final SSL handshake exceptions are hidden from application version:4.2.3

  1. commons-logging commons-logging version: 1.1.1 Jira issues: Unit tests fail on linux with java16 version:1.1.1 deadlock on re-registration of logger version:1.1.1 Potential missing privileged block for class loader version:1.1.1 Log4JLogger uses deprecated static members of Priority such as INFO version:1.1.1 LogFactory/LogFactoryImpl ingore Throwable version:1.1.1 LogFactory.nullClassLoaderFactory is not properly synchronized version:1.1.1 SimpleLog.log - unsafe update of shortLogName version:1.1.1 BufferedReader is not closed properly version:1.1.1;1.2
  2. commons-io commons-io version: 2.3 Jira issues: What should happen in FileUtils.sizeOf[Directory] when an overflow takes place? version:2.3 FileUtils.writeLines uses unbuffered IO version:2.3 BOMInputStream wrongly detects UTF-32LE_BOM files as UTF-16LE_BOM files in method getBOM() version:2.3 Commons IO Tailer does not respect UTF-8 Charset version:2.3 IOUtils copyLarge() and skip() methods are performance hogs version:2.3;2.4 Regression in FileUtils.readFileToString from 2.0.1 version:2.1;2.2;2.3;2.4
  3. commons-codec commons-codec version: 1.6 Jira issues: QuotedPrintableCodec does not support soft line break per the 'quoted-printable' example on Wikipedia version:1.5;1.6 BeiderMorseEncoder OOM issues version:1.6 BeiderMorse phonetic filter give uncertain results version:1.6 DigestUtils.getDigest(String) looses the orginal exception version:1.6 DigestUtils.getDigest(String) should throw IllegalArgumentException instead of RuntimeException version:1.6 DigestUtils: add APIs named after standard alg name SHA-1 version:1.6 BaseNCodecOutputStream only supports writing EOF on close() version:1.6
  4. org.apache.commons commons-lang3 version: 3.1 Jira issues: NumberUtils#isNumber() returns false for "+2" and true for "-2" version:3.1;3.3.2 NumberUtils.createNumber() behaves inconsistently with NumberUtils.isNumber() version:3.1 TypeUtils.getTypeArguments() misses type arguments for partially-assigned classes version:3.1 TypeUtilsTest contains incorrect type assignability assertion due to lost/skipped type variable information during the decision process version:3.1 SerializationUtils throws ClassNotFoundException when cloning primitive classes version:3.1 SystemUtils.IS_OS_WINDOWS_2008; VISTA are incorrect version:3.1 LocaleUtils - unnecessary recursive call in SyncAvoid class version:3.1 RandomStringUtils.random(count; 0; 0; false; false; universe; random) always throws java.lang.ArrayIndexOutOfBoundsException version:2.5;2.6;3.1 StringUtils.join() endIndex; bugged for loop version:3.1 StringUtils.equalsIgnoreCase doesn't check string reference equality version:3.1 [Method|Constructor]Utils.invoke(; Object... args) variants cannot handle null values version:3.1 Add org.apache.commons.lang3.SystemUtils.IS_OS_WINDOWS_8 version:3.1 NumberUtils#createNumber - bad behaviour for leading "--" version:3.1 FastDateParser does not handle non-ASCII digits correctly version:3.1 FastDateParser does not handle non-Gregorian calendars properly version:3.1 FastDateFormat and FastDatePrinter generates Date objects wastefully version:3.1 LocaleUtils.toLocale does not parse strings starting with an underscore version:3.1 LocaleUtils test fails with new Locale "ja_JPJP#u-ca-japanese" of JDK7 version:3.1 LookupTranslator accepts CharSequence as input; but fails to work with implementations other than String version:3.1 CLONE - DateFormatUtils.format does not correctly change Calendar TimeZone in certain situations version:3.1 Add ArrayUtils#nullToEmpty(Class<?>[]) version:3.1 BooleanUtils.xor(boolean...) produces wrong results version:3.1 Test DurationFormatUtilsTest.testEdgeDuration fails in JDK 1.6; 1.7 and 1.8; BRST time zone version:3.1;3.2;3.2.1 Fragments are wrong by 1 day when using fragment YEAR or MONTH version:3.1 NumberUtils#createNumber() returns positive BigDecimal when negative Float is expected version:3.x

Sincerely~ FDU Software Engineering Lab Marth 14th,2019