(geode) branch support/1.15 updated: GEODE-10546: Address CVE-2025-48924 in Apache Commons Lang3 (#7976)

Mon, 16 Mar 2026 02:52:11 -0700 

This is an automated email from the ASF dual-hosted git repository.

jinwoo pushed a commit to branch support/1.15
in repository https://gitbox.apache.org/repos/asf/geode.git


The following commit(s) were added to refs/heads/support/1.15 by this push:
     new efd7796f6b GEODE-10546: Address CVE-2025-48924 in Apache Commons Lang3 
(#7976)
efd7796f6b is described below

commit efd7796f6bbf54d4e639f779587e47a4116a6298
Author: Jinwoo Hwang <[email protected]>
AuthorDate: Mon Mar 16 05:51:46 2026 -0400

    GEODE-10546: Address CVE-2025-48924 in Apache Commons Lang3 (#7976)
    
    * GEODE-10546: Address CVE-2025-48924 in Apache Commons Lang3
    
    - Upgrade commons-lang3 from 3.12.0 to 3.18.0
    - Replace StringUtils.startsWith with String.startsWith (with null check)
    - Replace StringUtils.containsIgnoreCase with toLowerCase().contains()
    - Replace StringUtils.removeStart with ternary operator pattern
    - Replace StringUtils.equals with Objects.equals
    - Replace LineIterator.nextLine() with LineIterator.next()
    - Fix Mockito compatibility with MutableInt in commons-lang3 3.18.0
    - All quality checks pass (japicmp, javadoc, spotlessCheck, rat, checkPom, 
pmdMain)
    - ConnectCommandTest: 24 tests now pass (fixed NullPointerException)
    
    * GEODE-10546: Upgrade commons-io to 2.18.0 (merge with support/1.15)
---
 .../org/apache/geode/gradle/plugins/DependencyConstraints.groovy   | 2 +-
 .../internal/cli/commands/StartServerCommandAcceptanceTest.java    | 4 ++--
 .../geode/internal/cache/tier/sockets/ServerConnectionTest.java    | 2 +-
 .../geode/management/internal/cli/commands/ConnectCommand.java     | 2 +-
 .../geode/management/internal/cli/commands/CreateIndexCommand.java | 4 ++--
 .../geode/management/internal/cli/commands/QueryCommand.java       | 4 ++--
 .../internal/cli/domain/FixedPartitionAttributesInfo.java          | 5 ++---
 .../management/internal/cli/domain/PartitionAttributesInfo.java    | 7 +++----
 .../geode/management/internal/cli/domain/RegionAttributesInfo.java | 3 ++-
 .../main/java/org/apache/geode/management/configuration/Index.java | 3 ++-
 10 files changed, 18 insertions(+), 18 deletions(-)

diff --git 
a/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
 
b/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
index 831d0ec12e..7c824f5190 100644
--- 
a/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
+++ 
b/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
@@ -34,7 +34,7 @@ class DependencyConstraints {
     // Some of these are referenced below as well
     deps.put("antlr.version", "2.7.7")
     deps.put("commons-io.version", "2.18.0")
-    deps.put("commons-lang3.version", "3.12.0")
+    deps.put("commons-lang3.version", "3.18.0")
     deps.put("commons-validator.version", "1.7")
     deps.put("fastutil.version", "8.5.8")
     deps.put("javax.transaction-api.version", "1.3")
diff --git 
a/geode-assembly/src/acceptanceTest/java/org/apache/geode/management/internal/cli/commands/StartServerCommandAcceptanceTest.java
 
b/geode-assembly/src/acceptanceTest/java/org/apache/geode/management/internal/cli/commands/StartServerCommandAcceptanceTest.java
index fb9a665bcf..828655420a 100644
--- 
a/geode-assembly/src/acceptanceTest/java/org/apache/geode/management/internal/cli/commands/StartServerCommandAcceptanceTest.java
+++ 
b/geode-assembly/src/acceptanceTest/java/org/apache/geode/management/internal/cli/commands/StartServerCommandAcceptanceTest.java
@@ -103,7 +103,7 @@ public class StartServerCommandAcceptanceTest {
     Boolean configurationLineFound = Boolean.FALSE;
     LineIterator lineIterator = FileUtils.lineIterator(logFile.toFile());
     while (lineIterator.hasNext()) {
-      String line = lineIterator.nextLine();
+      String line = lineIterator.next();
       if (line.contains("CacheServer Configuration:")) {
         configurationLineFound = Boolean.TRUE;
         assertThat(line).contains("max-threads=100");
@@ -152,7 +152,7 @@ public class StartServerCommandAcceptanceTest {
     boolean configurationLineFound = false;
     LineIterator lineIterator = FileUtils.lineIterator(logFile.toFile());
     while (lineIterator.hasNext()) {
-      String line = lineIterator.nextLine();
+      String line = lineIterator.next();
       if (line.contains("CacheServer Configuration:")) {
         configurationLineFound = true;
         assertThat(line).contains("max-threads=50");
diff --git 
a/geode-core/src/test/java/org/apache/geode/internal/cache/tier/sockets/ServerConnectionTest.java
 
b/geode-core/src/test/java/org/apache/geode/internal/cache/tier/sockets/ServerConnectionTest.java
index e32a031a3c..8dadc5d481 100644
--- 
a/geode-core/src/test/java/org/apache/geode/internal/cache/tier/sockets/ServerConnectionTest.java
+++ 
b/geode-core/src/test/java/org/apache/geode/internal/cache/tier/sockets/ServerConnectionTest.java
@@ -307,7 +307,7 @@ public class ServerConnectionTest {
     ClientUserAuths clientUserAuths = mock(ClientUserAuths.class);
     ServerConnection spy = spy(serverConnection);
     Map<ServerSideHandshake, MutableInt> cleanupTable = mock(Map.class);
-    when(cleanupTable.get(any())).thenReturn(mock(MutableInt.class));
+    when(cleanupTable.get(any())).thenReturn(new MutableInt(0));
     doReturn(cleanupTable).when(clientHealthMonitor).getCleanupTable();
     doReturn(new 
HashMap<>()).when(clientHealthMonitor).getCleanupProxyIdTable();
     spy.setClientUserAuths(clientUserAuths);
diff --git 
a/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/ConnectCommand.java
 
b/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/ConnectCommand.java
index 27ed6e465a..8a13f9f665 100644
--- 
a/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/ConnectCommand.java
+++ 
b/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/ConnectCommand.java
@@ -123,7 +123,7 @@ public class ConnectCommand extends OfflineGfshCommand {
           .createInfo("Already connected to: " + 
getGfsh().getOperationInvoker().toString());
     }
 
-    if (StringUtils.startsWith(url, "https")) {
+    if (url != null && url.startsWith("https")) {
       useSsl = true;
     }
 
diff --git 
a/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/CreateIndexCommand.java
 
b/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/CreateIndexCommand.java
index d1f4f1892a..4a0b1c499e 100644
--- 
a/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/CreateIndexCommand.java
+++ 
b/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/CreateIndexCommand.java
@@ -24,7 +24,6 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 
-import org.apache.commons.lang3.StringUtils;
 import org.springframework.shell.core.annotation.CliCommand;
 import org.springframework.shell.core.annotation.CliOption;
 
@@ -169,7 +168,8 @@ public class CreateIndexCommand extends GfshCommand {
   // returned here should not have "."
   String getValidRegionName(String regionPath) {
     String regionName = regionPath.trim().split(" ")[0];
-    regionName = StringUtils.removeStart(regionName, SEPARATOR);
+    regionName =
+        regionName.startsWith(SEPARATOR) ? 
regionName.substring(SEPARATOR.length()) : regionName;
     if (regionName.contains(".")) {
       regionName = regionName.substring(0, regionName.indexOf('.'));
     }
diff --git 
a/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/QueryCommand.java
 
b/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/QueryCommand.java
index ccd7d3c833..da610a5d87 100644
--- 
a/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/QueryCommand.java
+++ 
b/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/QueryCommand.java
@@ -84,8 +84,8 @@ public class QueryCommand extends GfshCommand {
 
     boolean limitAdded = false;
 
-    if (!StringUtils.containsIgnoreCase(query, " limit")
-        && !StringUtils.containsIgnoreCase(query, " count(")) {
+    if (!query.toLowerCase().contains(" limit")
+        && !query.toLowerCase().contains(" count(")) {
       query = query + " limit " + CommandExecutionContext.getShellFetchSize();
       limitAdded = true;
     }
diff --git 
a/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/domain/FixedPartitionAttributesInfo.java
 
b/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/domain/FixedPartitionAttributesInfo.java
index 06061bacfc..6bf349349e 100644
--- 
a/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/domain/FixedPartitionAttributesInfo.java
+++ 
b/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/domain/FixedPartitionAttributesInfo.java
@@ -15,8 +15,7 @@
 package org.apache.geode.management.internal.cli.domain;
 
 import java.io.Serializable;
-
-import org.apache.commons.lang3.StringUtils;
+import java.util.Objects;
 
 import org.apache.geode.cache.FixedPartitionAttributes;
 
@@ -37,7 +36,7 @@ public class FixedPartitionAttributesInfo implements 
Serializable {
     if (obj instanceof FixedPartitionAttributesInfo) {
       FixedPartitionAttributesInfo fpaInfo = (FixedPartitionAttributesInfo) 
obj;
       return numBuckets == fpaInfo.getNumBuckets()
-          && StringUtils.equals(partitionName, fpaInfo.getPartitionName())
+          && Objects.equals(partitionName, fpaInfo.getPartitionName())
           && isPrimary == fpaInfo.isPrimary();
 
     } else {
diff --git 
a/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/domain/PartitionAttributesInfo.java
 
b/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/domain/PartitionAttributesInfo.java
index c2bcfe7f69..c17f50f519 100644
--- 
a/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/domain/PartitionAttributesInfo.java
+++ 
b/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/domain/PartitionAttributesInfo.java
@@ -20,8 +20,7 @@ import java.util.HashMap;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
-
-import org.apache.commons.lang3.StringUtils;
+import java.util.Objects;
 
 import org.apache.geode.cache.FixedPartitionAttributes;
 import org.apache.geode.cache.PartitionAttributes;
@@ -152,9 +151,9 @@ public class PartitionAttributesInfo implements 
Serializable {
   public boolean equals(Object obj) {
     if (obj instanceof PartitionAttributesInfo) {
       PartitionAttributesInfo paInfo = (PartitionAttributesInfo) obj;
-      return StringUtils.equals(getColocatedWith(), paInfo.getColocatedWith())
+      return Objects.equals(getColocatedWith(), paInfo.getColocatedWith())
           && getLocalMaxMemory() == paInfo.getLocalMaxMemory()
-          && StringUtils.equals(getPartitionResolverName(), 
paInfo.getPartitionResolverName())
+          && Objects.equals(getPartitionResolverName(), 
paInfo.getPartitionResolverName())
           && getRecoveryDelay() == paInfo.getRecoveryDelay()
           && getRedundantCopies() == paInfo.getRedundantCopies()
           && getStartupRecoveryDelay() == paInfo.getStartupRecoveryDelay()
diff --git 
a/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/domain/RegionAttributesInfo.java
 
b/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/domain/RegionAttributesInfo.java
index 6adf2ecaea..05d77c238c 100644
--- 
a/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/domain/RegionAttributesInfo.java
+++ 
b/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/domain/RegionAttributesInfo.java
@@ -21,6 +21,7 @@ import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Set;
 
 import org.apache.commons.lang3.StringUtils;
@@ -364,7 +365,7 @@ public class RegionAttributesInfo implements Serializable {
           Boolean.toString(cloningEnabled));
     }
 
-    if (!StringUtils.equals(RegionAttributesDefault.COMPRESSOR_CLASS_NAME, 
compressorClassName)) {
+    if (!Objects.equals(RegionAttributesDefault.COMPRESSOR_CLASS_NAME, 
compressorClassName)) {
       nonDefaultAttributes.put(RegionAttributesNames.COMPRESSOR, 
compressorClassName);
     }
 
diff --git 
a/geode-management/src/main/java/org/apache/geode/management/configuration/Index.java
 
b/geode-management/src/main/java/org/apache/geode/management/configuration/Index.java
index 2e1c684916..03372f9168 100644
--- 
a/geode-management/src/main/java/org/apache/geode/management/configuration/Index.java
+++ 
b/geode-management/src/main/java/org/apache/geode/management/configuration/Index.java
@@ -88,7 +88,8 @@ public class Index extends AbstractConfiguration<IndexInfo> 
implements RegionSco
     }
 
     String regionName = regionPath.trim().split(" ")[0];
-    regionName = StringUtils.removeStart(regionName, SEPARATOR);
+    regionName =
+        regionName.startsWith(SEPARATOR) ? 
regionName.substring(SEPARATOR.length()) : regionName;
     if (regionName.contains(".")) {
       regionName = regionName.substring(0, regionName.indexOf('.'));
     }

Reply via email to