Menu

#251 OpenCSV 5.9

v1.0 (example)
open
Scott Conway
None
9
2025-01-10
2024-06-06
Hristo Ivanov
No

When setting the type of a Strategy via the setType method in AbstractMappingStrategy.class a CsvBadConverterException is thrown. It turns out that as of version 5.9, OpenCSV is still using the deprecated FastHashMap implementation from Apache Commons Collections 3. However, this structure has been removed in version 4.0 and should be replaced by java.util.concurrent.ConcurrentHashMap.
This leads to the following error: java.lang.NoClassDefFoundError: org/apache/commons/collections/FastHashMap
Moreover, it would imply that Commons Collections 3.2.2 is still a dependency. Unfortunately, all versions below 4.3 suffer from the following CVE
I would be grateful if you could take this into consideration and fix it.

Best regards,
Hristo

Discussion

  • Scott Conway

    Scott Conway - 2024-06-07

    If you have a simple code sample that you can make into a unit test I will try it out. Otherwise I will test it out in the next week or so depending on when I can get free.

    Thanks for finding this. I am surprised our existing unit tests did not catch it.

     

  • Hristo Ivanov

    Hristo Ivanov - 2024-06-07

    Hi Scott,
    upon further analysis, it appears that commons-beanutils uses FastHashMap, which transitively imports commons-collections 3.2.2 into OpenCSV. This means any developer using OpenCSV who has excluded older versions of commons-collections in the pom file due to the CVE will likely encounter this error. Unfortunately, there has not been an update to commons-beanutils since 2019, suggesting that the project might have been abandoned. It would be great, if you could take a look into this in your free time and see if replacing FastHashMap is a viable solution.

    [INFO] +- com.opencsv:opencsv:jar:5.9:compile
[INFO] |  +- org.apache.commons:commons-text:jar:1.11.0:compile
[INFO] |  +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] |  |  +- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  |  \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] |  \- org.apache.commons:commons-collections4:jar:4.4:compile
     

  • Scott Conway

    Scott Conway - 2024-06-08

    Yeah I am going to close this one. I agree with you with the sentiment about commons-beanutils being a dead project but there is a story here and I wished I knew what it was. If you check you will find that back in 2017 there was a apache commons-beanutils2 created in 2014 but looking at the git branches the first checkin referencing beanutils2 was 2017 (https://commons.apache.org/sandbox/commons-beanutils2/index.html). And looking at the git repo (https://github.com/apache/commons-beanutils) it is still being actively developed but most of the merges this year have been dependency updates. So honestly this whole project has been in development hell and I do not know why. The only thing I can think of is either politics or the main developers have left - though if it was the later I would not expect to see so many merges on the branch.

     

  • Jeff Thomas

    Jeff Thomas - 2024-06-21

    Hi Scott, came here looking for this exact ticket because of the CVE vulnerability lighting up in my IDE.

    Just a hint, the last code changes in beanutils were just 3 days ago.

    Maybe it is possible to message the maintainer Gary Gregory about a release? :) The master was already switched to commons-collections4 back in September 2023.

     

  • Scott Conway

    Scott Conway - 2024-06-22

    Go ahead and message Gary Gregory to see when they are planning on a release of commons-beanutils. Yeah they are still making code changes but the last release they made was almost five years ago (https://central.sonatype.com/artifact/commons-beanutils/commons-beanutils/versions) so there are a whole bunch of apache commons libraries that are in what I call "development hell" because changes are constantly being made but no releases are being made.

     

  • Jeff Thomas

    Jeff Thomas - 2024-09-13

    Hi Scott, I actually did message Gary a few months ago and ended up on the Apache mailing list.

    Gary Gregory announced yesterday via the mailing list that they expect to have a beanutils2 release-candidate in around one month.

     

  • Scott Conway

    Scott Conway - 2024-11-03

    I will keep checking on occasion but thus far I do not see anything published. Please let me know if you see it published.

     

  • Jeff Thomas

    Jeff Thomas - 2025-01-08

    FYI there is also now a 2.0.0-M1:

    https://commons.apache.org/proper/commons-beanutils/changes-report.html#a2.0.0-M1

    But incompatible changes:

    "Change packaging from org.apache.commons.beanutils to org.apache.commons.beanutils2."

     

    Last edit: Jeff Thomas 2025-01-08

  • Scott Conway

    Scott Conway - 2025-01-10

    That is awesome. I will look at trying to update to 1.10 shortly. I do see it on maven!! https://central.sonatype.com/artifact/commons-beanutils/commons-beanutils/versions

    I won't update to 2.0 until they have had a couple of actual releases, not milestone releases, to work out any issues found in the new major release. And that will give us time to see if there are any backwards compatibility issues.

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.