pinot icon indicating copy to clipboard operation
pinot copied to clipboard
verified publisher icon apache

Exclude vulnerable commons-collections 3.2.2 SONATYPE-2024-3350

Open Akanksha-kedia opened this issue 2 months ago • 5 comments

https://nexus-iq.visa.com/assets/index.html#/vulnerabilities/SONATYPE-2024-3350

Akanksha-kedia avatar Dec 17 '25 13:12 Akanksha-kedia

@xiangfu0 @Jackie-Jiang please review and help to merge

Akanksha-kedia avatar Dec 17 '25 13:12 Akanksha-kedia

Codecov Report

:white_check_mark: All modified and coverable lines are covered by tests. :white_check_mark: Project coverage is 55.63%. Comparing base (3be9fbe) to head (758d471). :warning: Report is 7 commits behind head on master.

:exclamation: There is a different number of reports uploaded between BASE (3be9fbe) and HEAD (758d471). Click for more details.

HEAD has 32 uploads less than BASE
Flag BASE (3be9fbe) HEAD (758d471)
java-21 5 1
unittests 4 2
temurin 10 2
java-11 5 1
unittests2 2 0
integration 6 0
integration2 2 0
integration1 2 0
custom-integration1 2 0
Additional details and impacted files 
@@             Coverage Diff              @@
##             master   #17393      +/-   ##
============================================
- Coverage     63.28%   55.63%   -7.65%     
+ Complexity     1474      703     -771     
============================================
  Files          3147     2460     -687     
  Lines        187576   138874   -48702     
  Branches      28712    22138    -6574     
============================================
- Hits         118712    77268   -41444     
+ Misses        59663    55104    -4559     
+ Partials       9201     6502    -2699
Flag Coverage Δ
custom-integration1 ?
integration ?
integration1 ?
integration2 ?
java-11 55.59% <ø> (-7.62%) :arrow_down:
java-21 55.59% <ø> (-7.64%) :arrow_down:
temurin 55.63% <ø> (-7.65%) :arrow_down:
unittests 55.63% <ø> (-7.65%) :arrow_down:
unittests1 55.63% <ø> (-0.02%) :arrow_down:
unittests2 ?

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

codecov-commenter avatar Dec 17 '25 14:12 codecov-commenter

commons-beanutils depends on commons-collections, and we cannot remove it. We'll need to wait until either of them releases a new version

Jackie-Jiang avatar Dec 17 '25 23:12 Jackie-Jiang

commons-beanutils depends on commons-collections, and we cannot remove it. We'll need to wait until either of them releases a new version

where its being used i guess we use commons-collections4 right ?

Akanksha-kedia avatar Dec 18 '25 07:12 Akanksha-kedia

commons-beanutils depends on commons-collections, and we cannot remove it. We'll need to wait until either of them releases a new version

where its being used i guess we use commons-collections4 right ?

It is not being used directly, but commons-beanutils could use it indirectly, and cause class not found issue

Jackie-Jiang avatar Dec 18 '25 20:12 Jackie-Jiang