#251 OpenCSV 5.9

[Hristo Ivanov]

When setting the type of a Strategy via the setType method in AbstractMappingStrategy.class a CsvBadConverterException is thrown. It turns out that as of version 5.9, OpenCSV is still using the deprecated FastHashMap implementation from Apache Commons Collections 3. However, this structure has been removed in version 4.0 and should be replaced by java.util.concurrent.ConcurrentHashMap.
This leads to the following error: java.lang.NoClassDefFoundError: org/apache/commons/collections/FastHashMap
Moreover, it would imply that Commons Collections 3.2.2 is still a dependency. Unfortunately, all versions below 4.3 suffer from the following CVE
I would be grateful if you could take this into consideration and fix it.

Best regards,
Hristo

[Scott Conway]

If you have a simple code sample that you can make into a unit test I will try it out. Otherwise I will test it out in the next week or so depending on when I can get free.

Thanks for finding this. I am surprised our existing unit tests did not catch it.

[Hristo Ivanov]

Hi Scott,
upon further analysis, it appears that commons-beanutils uses FastHashMap, which transitively imports commons-collections 3.2.2 into OpenCSV. This means any developer using OpenCSV who has excluded older versions of commons-collections in the pom file due to the CVE will likely encounter this error. Unfortunately, there has not been an update to commons-beanutils since 2019, suggesting that the project might have been abandoned. It would be great, if you could take a look into this in your free time and see if replacing FastHashMap is a viable solution.

[INFO] +- com.opencsv:opencsv:jar:5.9:compile
[INFO] |  +- org.apache.commons:commons-text:jar:1.11.0:compile
[INFO] |  +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] |  |  +- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  |  \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] |  \- org.apache.commons:commons-collections4:jar:4.4:compile

[Scott Conway]

Yeah I am going to close this one. I agree with you with the sentiment about commons-beanutils being a dead project but there is a story here and I wished I knew what it was. If you check you will find that back in 2017 there was a apache commons-beanutils2 created in 2014 but looking at the git branches the first checkin referencing beanutils2 was 2017 (https://commons.apache.org/sandbox/commons-beanutils2/index.html). And looking at the git repo (https://github.com/apache/commons-beanutils) it is still being actively developed but most of the merges this year have been dependency updates. So honestly this whole project has been in development hell and I do not know why. The only thing I can think of is either politics or the main developers have left - though if it was the later I would not expect to see so many merges on the branch.

[Jeff Thomas]

Hi Scott, came here looking for this exact ticket because of the CVE vulnerability lighting up in my IDE.

Just a hint, the last code changes in beanutils were just 3 days ago.

Maybe it is possible to message the maintainer Gary Gregory about a release? :) The master was already switched to commons-collections4 back in September 2023.

[Scott Conway]

Go ahead and message Gary Gregory to see when they are planning on a release of commons-beanutils. Yeah they are still making code changes but the last release they made was almost five years ago (https://central.sonatype.com/artifact/commons-beanutils/commons-beanutils/versions) so there are a whole bunch of apache commons libraries that are in what I call "development hell" because changes are constantly being made but no releases are being made.