Remove use of commons collections 3 coming via beanutils

[sandeepnkulkarni]

commons collections 3 is EOL and there is no new version available since Nov, 2015 after 3.2.2. So it would make sense to remove its use within jasperreports going forward. Our customers have shown concern about its continued use and hence the request.

Currently there is dependency of commons-beanutils 1.9.4. There is major version of beanutils released commons-beanutils2 which no longer needs commons collections 3 and uses commons collections 4 in its place.

Will it be possible to upgrade to use commons-beanutils2?

Edit: Would like point out that it turns out that official beanutils is still not out yet. It is still in SNAPSHOT. But it is released by Melloware on Maven. More information: https://issues.apache.org/jira/browse/BEANUTILS-532

[teodord]

I think it is too early to consider this. We are not using snapshots.
Also, Commons Beanutils is also used by Commons Digester.
That is a bit harder to replace in JRL.

[sandeepnkulkarni]

Thanks for quick response. Commons Digester also seems to be EOL as well. Also does not looks like it is being actively maintained. Last release 3.2 was in 2011.

Found that Apache Commons Digester used is v.2.1, a version that has been released in 2010.

[teodord]

I think Digester is "Feature Complete", not "End of Life". It does what we need and we don't need anything more from it.

[nicolasmafraintelipost]

Hello, any updates to it? commons-collections 3 is mentioned in vulnerability alerts (Cx78f40514-81ff)

[melloware]

PR submitted