Apache Commons BeanUtils 2.0.0-M1 Release Notes The Apache Commons BeanUtils team is pleased to announce the release of Apache Commons BeanUtils 2.0.0-M1 Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection. This is a major release, requires Java 8. Changes in this version include: New features: o BEANUTILS-530: New converters for Java 8 Time classes #13. Thanks to Melloware, Matt Sicker, Gary Gregory. o BEANUTILS-346: New converter for Enum. Thanks to Melloware. o Add github/codeql-action #118. Thanks to Dependabot, Gary Gregory. o Add and use ConversionException.format(String, Object...). Thanks to Dependabot, Gary Gregory. o Add Converters for additional types: Color, Dimension, InetAddress, Locale, Pattern, Point #47. Thanks to Seth Falco, Gary Gregory. o Make PropertyUtilsBean.getReadMethod(Class, PropertyDescriptor) public #232. Thanks to Sergey Chernov, Gary Gregory. Fixed Bugs: o BEANUTILS-402: Double-Checked Locking anti pattern in WeakFastHashMap. Thanks to Melloware. o Refactor logger usage #72. Thanks to Andrei Korzhevskii, Gary Gregory. o Migrate to JUnit 5 #93, #283, #284, #285, #287. Thanks to SethFalco, Steve Bosman, Gary Gregory. o Fix SpotBugs [ERROR] Medium: org.apache.commons.beanutils2.BasicDynaClass.constructorTypes should be both final and package protected [org.apache.commons.beanutils2.BasicDynaClass] At BasicDynaClass.java:[line 95] MS_FINAL_PKGPROTECT. Thanks to Gary Gregory. o Fix SpotBugs [ERROR] Medium: Load of known null value in org.apache.commons.beanutils2.converters.AbstractConverter.convert(Class, Object) [org.apache.commons.beanutils2.converters.AbstractConverter] At AbstractConverter.java:[line 163] NP_LOAD_OF_KNOWN_NULL_VALUE. Thanks to Gary Gregory. o Fix SpotBugs [ERROR] Medium: Unused public or protected field: org.apache.commons.beanutils2.WrapDynaClass.descriptors [org.apache.commons.beanutils2.WrapDynaClass] In WrapDynaClass.java UUF_UNUSED_PUBLIC_OR_PROTECTED_FIELD. Thanks to Gary Gregory. o Fix SpotBugs [ERROR] Medium: org.apache.commons.beanutils2.converters.ArrayConverter.setAllowedChars(char[]) may expose internal representation by storing an externally mutable object into ArrayConverter.allowedChars [org.apache.commons.beanutils2.converters.ArrayConverter] At ArrayConverter.java:[line 202] EI_EXPOSE_REP2. Thanks to Gary Gregory. o Fix SpotBugs [ERROR] Medium: org.apache.commons.beanutils2.converters.DateTimeConverter.setPatterns(String[]) may expose internal representation by storing an externally mutable object into DateTimeConverter.patterns [org.apache.commons.beanutils2.converters.DateTimeConverter] At DateTimeConverter.java:[line 204] EI_EXPOSE_REP2. Thanks to Gary Gregory. o Fix SpotBugs [ERROR] Medium: org.apache.commons.beanutils2.ConversionException.getCause() may expose internal representation by returning ConversionException.cause [org.apache.commons.beanutils2.ConversionException] At ConversionException.java:[line 83] EI_EXPOSE_REP. Thanks to Gary Gregory. o Fix SpotBugs [ERROR] Medium: new org.apache.commons.beanutils2.ConversionException(String, Throwable) may expose internal representation by storing an externally mutable object into ConversionException.cause [org.apache.commons.beanutils2.ConversionException] At ConversionException.java:[line 53] EI_EXPOSE_REP2. Thanks to Gary Gregory. o Fix SpotBugs [ERROR] Medium: new org.apache.commons.beanutils2.ConversionException(Throwable) may expose internal representation by storing an externally mutable object into ConversionException.cause [org.apache.commons.beanutils2.ConversionException] At ConversionException.java:[line 65] EI_EXPOSE_REP2. Thanks to Gary Gregory. o Fix SpotBugs [ERROR] Medium: org.apache.commons.beanutils2.converters.DateTimeConverter.getPatterns() may expose internal representation by returning DateTimeConverter.patterns [org.apache.commons.beanutils2.converters.DateTimeConverter] At DateTimeConverter.java:[line 189] EI_EXPOSE_REP. Thanks to Gary Gregory. o Fix SpotBugs [ERROR] Medium: org.apache.commons.beanutils2.WrapDynaClass.getDynaProperties() may expose internal representation by returning WrapDynaClass.properties [org.apache.commons.beanutils2.WrapDynaClass] At WrapDynaClass.java:[line 172] EI_EXPOSE_REP. Thanks to Gary Gregory. o Replace Commons Collections Test Framework 3.2.2 with 4.5.0-M3 #40. Thanks to Melloware, sebbASF, Gary Gregory, Michal Landsman. o Provide error index in ConversionException message in DateTimeConverter.parse(Class, Class, String, DateFormat). Thanks to Gary Gregory. o Avoid possible NPE in DateTimeConverter.parse(Class, Class, String). Thanks to Gary Gregory. o Annotate Converter with @FunctionalInterface. Thanks to Claude Warren, Gary Gregory. o BEANUTILS-564: Fix JDK 21 CI failure due to locale changes #201. Thanks to SingingBush. o Fix warnings and To-Dos #92. Thanks to Seth Falco. o Replace internal use of Locale.ENGLISH with Locale.ROOT. Thanks to Gary Gregory. o BEANUTILS-541: FluentPropertyBeanIntrospector caches corrupted writeMethod (2.x) #68. Thanks to Sergey Chernov. Changes: o BEANUTILS-503: Change packaging from org.apache.commons.beanutils to org.apache.commons.beanutils2. Thanks to Gary Gregory. o BEANUTILS-505: Add missing serialVersionUID to Serializable classes. Thanks to Gary Gregory. o BEANUTILS-512: Add Automatic-Module-Name entry to MANIFEST.MF. Thanks to Gary Gregory. o BEANUTILS-514: Remove deprecated code for 2.0.0. Thanks to Gary Gregory. o BEANUTILS-509: WeakHashmap enters into infinite loop in WrapDynaClass.java. Thanks to sunil, Akshay Gehi. o BEANUTILS-520: BeanUtils2 mitigate CVE-2014-0114. Thanks to Melloware. o BEANUTILS-527: Convert Collections4 to java.util.function. #8. Thanks to Melloware, Matt Sicker, Gary Gregory. o BEANUTILS-528: New converters for UUID, URI, and Path #10. Thanks to Melloware, Matt Sicker, Gary Gregory. o BEANUTILS-529: Log at the debug level instead of info. Thanks to Gary Gregory. o BEANUTILS-537: Fix typos; fix error in Javadoc; performance fix; fix code smells #25. Thanks to XenoAmess, Gary Gregory. o Bump actions/cache from 2 to 3.0.11 #77, #89, #103, #111. #137, #141. Thanks to Dependabot, Gary Gregory. o Update actions/checkout from 2.3.1 to 3.0.2 #33, #108. Thanks to Dependabot, Gary Gregory. o Update actions/setup-java from 1.4.0 to 3.6.0 #35, #114, #144. Thanks to Dependabot, Gary Gregory. o Bump actions/upload-artifact from 3.1.0 to 3.1.1 #143. Thanks to Dependabot. o BEANUTILS-522: Bump Apache Commons Collections from 4.3 to 4.4. Thanks to Gary Gregory. o BEANUTILS-504: Bump Java from 6 to 7. Thanks to Gary Gregory. o BEANUTILS-515: Bump Java from 7 to 8. Thanks to Gary Gregory. o Bump junit-jupiter from 5.7.2 to 5.9.1 #113, #126, #134. Thanks to Dependabot. o Bump JUnit from 4 to 5.9.1 vintage, #78, #112, #127, #136. Thanks to Gary Gregory, Dependabot. o Bump Jacoco from 0.8.4 to 0.8.8. Thanks to Gary Gregory. o Bump JApiCmp from 0.12.0 to 0.17.1, #46, #110, #130, #146. Thanks to Gary Gregory, Dependabot. o Bump maven-surefire-plugin from 2.22.1 to 3.0.0-M7, #116, #122. Thanks to Gary Gregory, Dependabot. o Bump maven-checkstyle-plugin from 3.0.0 to 3.2.0, #76, #129. Thanks to Gary Gregory, Dependabot. o Bump maven-pmd-plugin from 3.12.0 to 3.19.0, #120, #128, #131. Thanks to Gary Gregory, Dependabot. o Bump BC version from 1.9.3 to 1.9.4. Thanks to Gary Gregory. o Bump org.apache.commons:commons-parent from 50 to 74 #229, #245, #254, #264, #274, #279. Thanks to Gary Gregory, Dependabot. o Bump biz.aQute.bndlib from 5.1.0 to 6.4.1 #29, #45, #79, #109, #119, #121, #147, #175. Thanks to Dependabot. o Jacoco 0.8.6 for JDK15 support #55. Thanks to melloware. o Updated URLConverterTestCase to run without Internet access #50. Thanks to SethFalco. o Don't initialize variables to defaults #71. Thanks to Arturo Bernal. o Bump spotbugs-maven-plugin from 4.5.3.0 to 4.6.0.0. Thanks to Dependabot. o Bump spotbugs from 4.5.3 to 4.6.0. Thanks to Dependabot. o Bump org.apache.commons:commons-lang3 from 3.12.0 to 3.17.0 #263, #269, #280. Thanks to Gary Gregory, Dependabot. o Bump commons-logging:commons-logging from 1.2 to 1.3.4 #226, #246, #259, #275. Thanks to Gary Gregory, Dependabot. o Bump org.apache.commons:commons-parent from 74 to 78 #291, #295, #299, #306. Thanks to Gary Gregory, Dependabot. Removed: o BEANUTILS-527: Removed Commons Collections dependency. #8. Thanks to Melloware, Matt Sicker, Gary Gregory. o Removed BeanUtilsBean2, use BeanUtilsBean. BeanUtilsBean2 functionality is now in BeanUtilsBean. Previous BeanUtilsBean functionality for those methods is no longer supported. Thanks to Gary Gregory, Niall Pemberton. o Removed ConvertUtilsBean2, use ConvertUtilsBean. ConvertUtilsBean2 functionality is now in ConvertUtilsBean. Previous ConvertUtilsBean functionality for those methods is no longer supported. Thanks to Gary Gregory, Niall Pemberton. o Do not implement Serializable. Thanks to Gary Gregory. Historical list of changes: https://commons.apache.org/proper/commons-beanutils/changes-report.html For complete information on Apache Commons BeanUtils, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Commons BeanUtils website: https://commons.apache.org/proper/commons-beanutils/ ----------------------------------------------------------------------------- Apache Commons BeanUtils 1.10.0 Release Notes The Apache Commons BeanUtils team is pleased to announce the release of Apache Commons BeanUtils 1.10.0 Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection. This is a maintenance release and requires Java 8. Changes in this version include: Fixed Bugs: o BEANUTILS-541: FluentPropertyBeanIntrospector caches corrupted writeMethod (1.x backport) #69. Thanks to Sergey Chernov. o Replace internal use of Locale.ENGLISH with Locale.ROOT. Thanks to Gary Gregory. o Replace Maven CLIRR plugin with JApiCmp. Thanks to Gary Gregory. o Port to Java 1.4 Throwable APIs (!). Thanks to Gary Gregory. o Fix Javadoc generation on Java 8, 17, and 21. Thanks to Gary Gregory. o AbstractArrayConverter.parseElements(String) now returns a List instead of a raw List. Thanks to Gary Gregory. Changes: o Bump org.apache.commons:commons-parent from 47 to 78. Thanks to Gary Gregory. o Bump Java requirement from Java 6 to 8. Thanks to Gary Gregory. o Bump junit:junit from 4.12 to 4.13.2. Thanks to Gary Gregory. o Bump JUnit from 4.x to 5.x "vintage". Thanks to Gary Gregory. o Bump commons-logging:commons-logging from 1.2 to 1.3.4. Thanks to Gary Gregory. o Deprecate BeanUtilsBean.initCause(Throwable, Throwable) for removal, use Throwable.initCause(Throwable). Thanks to Gary Gregory. o Deprecate BeanUtils.initCause(Throwable, Throwable) for removal, use Throwable.initCause(Throwable). Thanks to Gary Gregory. Historical list of changes: https://commons.apache.org/proper/commons-beanutils//changes-report.html For complete information on Apache Commons BeanUtils, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Commons BeanUtils website: https://commons.apache.org/proper/commons-beanutils/ Download it from https://commons.apache.org/proper/commons-beanutils/download_bcel.cgi Have fun! -Apache Commons BCEL team Feedback -------- Open source works best when you give feedback: https://commons.apache.org/beanutils Please direct all bug reports to JIRA: https://issues.apache.org/jira/browse/BEANUTILS Or subscribe to the commons-user mailing list The Apache Commons Team ----------------------------------------------------------------------------- Apache Commons BeanUtils 1.9.4 Release Notes The Apache Commons BeanUtils team is pleased to announce the release of Apache Commons BeanUtils 1.9.4 Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection. The primary reason for this release is a bugfix for CVE-2014-0114. More specifically, our goal with BEANUTILS-520 is to set the default behaviour of the BeanUtilsBean to not allow class level access. The goal in doing this now is to bring 1.9.X into alignment with the same behaviour of the 2.X version line in regards to security. If one would like to opt out of the default behaviour, one could follow the example set out in the test class available in src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java. Changes in this version include: Fixed Bugs: o BEANUTILS-520: BeanUtils mitigation of CVE-2014-0114. (CVE-2019-10086 for commons-beanutils). Thanks to Melloware. Historical list of changes: https://commons.apache.org/proper/commons-beanutils/changes-report.html For complete information on Apache Commons BeanUtils, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Apache Commons BeanUtils website: https://commons.apache.org/proper/commons-beanutils/ ----------------------------------------------------------------------------- Apache Commons BeanUtils 1.9.3 Release Notes The Apache Commons team is pleased to announce the release of Apache Commons BeanUtils 1.9.3 Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection. This is a bug fix release, which also improves the tests for building on Java 8. Note that Java 8 and later no longer support indexed bean properties on java.util.List, only on arrays like String[]. (BEANUTILS-492). This affects PropertyUtils.getPropertyType() and PropertyUtils.getPropertyDescriptor(); their javadoc have therefore been updated to reflect this change in the JDK. Changes in this version include: Fixed Bugs: * BEANUTILS-477: Changed log level in FluentPropertyBeanIntrospector * BEANUTILS-492: Fixed exception when setting indexed properties on DynaBeans. Thanks to Bernhard Seebass. * BEANUTILS-470: Precision lost when converting BigDecimal Thanks to Tommy Tynjä. * BEANUTILS-465: Indexed List Setters fixed. Thanks to Daniel Atallah. Changes: * BEANUTILS-433: Update dependency from JUnit 3.8.1 to 4.12. Thanks to Benedikt Ritter, Gary Gregory. * BEANUTILS-469: Update commons-logging from 1.1.1 to 1.2. Thanks to Gary Gregory. * BEANUTILS-474: FluentPropertyBeanIntrospector does not use the same naming algorithm as DefaultBeanIntrospector. Thanks to Michael Grove. * BEANUTILS-490: Update Java requirement from Java 5 to 6. Thanks to Gary Gregory. * BEANUTILS-482: Update commons-collections from 3.2.1 to 3.2.2 (CVE-2015-4852). Thanks to Gary Gregory. * BEANUTILS-490: Update java requirement to Java 6. Thanks to Gary Gregory. * BEANUTILS-492: IndexedPropertyDescriptor tests now pass on Java 8. Thanks to Stian Soiland-Reyes. * BEANUTILS-495: DateConverterTestBase fails on M/d/yy in Java 9. Thanks to Stian Soiland-Reyes. * BEANUTILS-496: testGetDescriptorInvalidBoolean fails on Java 9. Thanks to Stian Soiland-Reyes. Historical list of changes: http://commons.apache.org/proper/commons-beanutils/changes-report.html For complete information on Apache Commons BeanUtils, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Apache Commons BeanUtils website: https://commons.apache.org/proper/commons-beanutils/ ----------------------------------------------------------------------------- Apache Commons BeanUtils 1.9.2 Release Notes INTRODUCTION: ============ This document contains the release notes for this version of the Commons BeanUtils package, and highlights changes since the previous version. For more information on Commons BeanUtils, see o http://commons.apache.org/beanutils/ Release 1.9.2 mainly addresses a potential security issue when accessing properties in an uncontrolled way. In a nutshell, if an application that uses Commons BeanUtils passes property paths from an external source directly to the getProperty() method of BeanUtilsBean, an attacker can access the class loader via the class property available on all Java objects. In version 1.9.2 now a special BeanIntrospector class was added which allows suppressing this property. Note that this BeanIntrospector is NOT enabled by default! Commons BeanUtils is a low-level library, and on this layer it cannot be decided whether access to a certain property is legal or not. Therefore, an application has to activate this suppressing BeanIntrospector explicitly. This can be done with the following lines of code: BeanUtilsBean bub = new BeanUtilsBean(); bub.getPropertyUtils().addBeanIntrospector( SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS); Now all access to properties has to be done via the specially configured BeanUtilsBean instance. More information about this issue can be found at https://issues.apache.org/jira/browse/BEANUTILS-463 or in section 2.5 of the user's guide. BUGFIXES in version 1.9.2 ========================= * [BEANUTILS-458] BaseLocaleConverter.checkConversionResult() no longer throws a ConversionException if the result of a conversion is null. New features in version 1.9.2 ============================= * [BEANUTILS-463] Added new SuppressPropertiesBeanIntrospector class to deal with a potential class loader vulnerability. ----------------------------------------------------------------------------- Apache Commons BeanUtils 1.9.1 Release Notes Release 1.9.1 is a bug fix release which addresses a problem with the new feature of custom introspection introduced with release 1.9.0. It is fully binary compatible with the previous release. The minimum required Java version is 1.5. BUGFIXES in version 1.9.1 ========================= * [BEANUTILS-456] For PropertyDescriptors obtained via custom introspection now additional information is stored to prevent that write methods are lost during garbage collection. ----------------------------------------------------------------------------- Apache Commons BeanUtils 1.9.0 Release Notes Release 1.9.0 contains some bug fixes and improvements that have accumulated after the 1.8.3 release. The most obvious change is that the new version now requires JDK 1.5 or higher, and that language features introduced with Java 5 (mainly generics) are used. A new feature has been introduced, too: the support for customizing bean introspection. Compatibility with 1.8.3 ======================== Adding generics to the BeanUtils API has been done in a backwards compatible way. This means that after type erasure the resulting classes look the same as in the previous version. A drawback of this approach is that sometimes it is not possible to use the logically correct type parameters because then backwards compatibility would be broken. One example is the BeanMap class: The class is now a Map while its keys actually are strings. However, implementing Map would change the signatures of some methods in an incompatible way. More details about limitations of the generification can be found at https://issues.apache.org/jira/browse/BEANUTILS-452 One exception from the compatibility rule is the ResultSetIterator class which now implements the Iterator interface. This causes a change in the return value of its next() method. ResultSetIterator is used internally as the iterator implementation within ResultSetDynaClass (it is probably a mistake that it is public). So chances are minimal that this change affects existing code. Another change which may affect compatibility is [BEANUTILS-379] (details can be found at https://issues.apache.org/jira/browse/BEANUTILS-379). Older versions of BeanUtils contained some classes that were copied from Commons Collections. These classes have now been removed, and a dependency to Commons Collections has been added; the collections jar now has to be contained in the classpath, too. Except for the change on ResultSetIterator and the additional dependency to Commons Collections, Commons BeanUtils 1.9.0 is fully binary compatible with the previous version 1.8.3. Changes on Converters ===================== The convert() method in the Converter interface now uses a type parameter in the following way: T convert(Class type, Object value); This makes it possible to access the converter's result in a type-safe way. Applying generics in this way revealed some inconsistencies in the Converter implementations. There were situations in which converters could return a result object of a different type as was requested. This was not a problem before because the result type was just Object. Now the compiler complains if a converter's result is not compatible with the desired target type. Because of that Converter implementations have been made more strict. A converter now checks the passed in target type, and if it cannot handle it, throws a ConversionException. This prevents unexpected results and makes converters more reliable (it could be considered a bug that a converter returns a result object of a different data type as the passed in target type). In a typical scenario, when converters are accessed via ConvertUtils, this change should not cause any problems because the converters are only called for the data types they have been registered for. But if converters are used directly, they might now throw ConversionExceptions when they did not in a previous version. BUGFIXES in version 1.9.0 ========================= * [BEANUTILS-454] BeanUtilsBean.copyProperties() no longer throws a ConversionException for null properties of certain data types. This fixes a regression introduced in version 1.8.0. The issue is related to [BEANUTILS-387]. * [BEANUTILS-411] BeanUtilsBean.setProperty throws IllegalArgumentException if getter of nested property returns null. * [BEANUTILS-408] MethodUtils.invokeMethod() throws NullPointerException when args==null. * [BEANUTILS-426] ConstructorUtils.invokeConstructor(Class klass, Object arg) throws NullPointerException when arg==null. * [BEANUTILS-380] BeanMap methods should initialize the root cause of exceptions that are thrown when running on JDK 1.4+. * [BEANUTILS-379] Remove copied Collection classes. * [BEANUTILS-378] BeanMap does not work in osgi (fixed by BEANUTILS-378). * [BEANUTILS-381] MethodUtils getMatchingAccessibleMethod() does not correctly handle inheritance and method overloading. New features in version 1.9.0 ============================= * [BEANUTILS-425] Support customization of introspection mechanism. * [BEANUTILS-428] Provide a BeanIntrospector implementation which supports properties in a fluent API. * [BEANUTILS-455] WrapDynaBeans can now be configured to use a specific instance of PropertyUtilsBean for introspection or property access. Other changes in version 1.9.0 ============================== * [BEANUTILS-452] Add generics. * [BEANUTILS-449] LocaleConverters do not take the target type into account. * [BEANUTILS-448] LocaleConverters do not check their default value. * [BEANUTILS-447] LazyDynaList.toArray() is not conform to the contract defined by the Collection interface. * [BEANUTILS-446] Some of the converters ignore the passed in target type. * [BEANUTILS-445] Converters can return an invalid result object if a default value is set. * [BEANUTILS-441] Replace UnmodifiableSet.decorate with Collections.unModifiableSet. * [BEANUTILS-436] Replace package.html with package-info.java. * [BEANUTILS-438] Add @Deprecated and @Override Annotations. * [BEANUTILS-437] Replace Date and Revision SVN keywords with Id. * [BEANUTILS-431] Remove @author tags and move missing authors to pom.xml. * [BEANUTILS-432] Switch to Java 1.5. * [BEANUTILS-429] Delete trailing white spaces and white spaces on empty lines from all files. * [BEANUTILS-427] Configure Checkstyle to check for trailing white spaces and white spaces on empty lines. ----------------------------------------------------------------------------- Apache Commons BeanUtils 1.8.3 Release Notes Compatibility with 1.8.2 ======================== BeanUtils 1.8.3 is binary compatible release with Beanutils 1.8.2, containing only bug fixes. BeanUtils 1.8.3 requires a minimum of JDK 1.3. Memory Leak =========== A memory leak was found in BeanUtils 1.7.0 (see BEANUTILS-291) which was fixed in BeanUtils 1.8.0 for JDK 1.5+. Testing of BeanUtils 1.8.1 revealed that the leak still appears to exist in IBM's JDK 1.6 implementation. see http://issues.apache.org/jira/browse/BEANUTILS-291 http://issues.apache.org/jira/browse/BEANUTILS-366 BUGS FIXED: =========== The following is a list of the bugs fixed in this release, with their Jira issue number: * [BEANUTILS-373] - MethodUtils is not thread safe because WeakFastHashMap which uses WeakHashMap is not thread-safe * [BEANUTILS-371] - Add constructors which have useColumnLabel parameter to ResultSetDynaClass and RowSetDynaClass