RANGER-5391: Migrate from Apache Commons Lang 2.6 to Commons Lang 3.19.0 (#724)

This commit migrates Apache Ranger from the vulnerable Commons Lang 2.6 library to Commons Lang 3.19.0, addressing CVE-2025-48924. The migration involves updating all import statements from org.apache.commons.lang.* to org.apache.commons.lang3.* across the codebase and updating dependency declarations in POM files.

Key changes:

- Updated Commons Lang 3 version from 3.3.2 to 3.19.0 in the root POM
- Replaced all imports across 100+ Java files from org.apache.commons.lang to org.apache.commons.lang3
- Removed commons-lang:2.6 dependency declarations and added commons-lang3:3.19.0 where needed
---------

Co-authored-by: Madhan Neethiraj <[email protected]>

Author: vishnukribm

agents-audit/core/pom.xml

@@ -37,11 +37,7 @@
             <artifactId>hppc</artifactId>
             <version>${hppc.version}</version>
         </dependency>
-        <dependency>
-            <groupId>commons-lang</groupId>
-            <artifactId>commons-lang</artifactId>
-            <version>${commons.lang.version}</version>
-        </dependency>
+
         <dependency>
             <groupId>io.airlift</groupId>
             <artifactId>aircompressor</artifactId>
@@ -63,6 +59,11 @@
             <artifactId>commons-configuration2</artifactId>
             <version>${commons.configuration.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>${commons.lang3.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-text</artifactId>

agents-audit/core/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java

@@ -22,7 +22,7 @@
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.databind.annotation.JsonSerialize;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 
 import java.util.Date;
 import java.util.HashSet;

agents-audit/core/src/main/java/org/apache/ranger/audit/provider/AuditWriterFactory.java

@@ -19,7 +19,7 @@
  * under the License.
  */
 
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.ranger.audit.utils.RangerAuditWriter;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

agents-audit/core/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java

@@ -18,8 +18,8 @@
 
 import com.fasterxml.jackson.core.JsonParser;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import org.apache.commons.lang.ArrayUtils;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.ArrayUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authentication.util.KerberosName;
 import org.apache.hadoop.security.authentication.util.KerberosUtil;

agents-audit/core/src/main/java/org/apache/ranger/audit/utils/AbstractRangerAuditWriter.java

@@ -19,7 +19,7 @@
  * under the License.
  */
 
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonPathCapabilities;
 import org.apache.hadoop.fs.FSDataOutputStream;

agents-audit/core/src/main/java/org/apache/ranger/audit/utils/RollingTimeUtil.java

@@ -18,7 +18,7 @@
 
 package org.apache.ranger.audit.utils;
 
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 
 import java.util.Calendar;
 import java.util.Date;

agents-audit/dest-cloudwatch/src/main/java/org/apache/ranger/audit/destination/AmazonCloudWatchAuditDestination.java

@@ -27,7 +27,7 @@
 import com.amazonaws.services.logs.model.PutLogEventsRequest;
 import com.amazonaws.services.logs.model.PutLogEventsResult;
 import com.amazonaws.services.logs.model.ResourceNotFoundException;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.ranger.audit.model.AuditEventBase;
 import org.apache.ranger.audit.provider.MiscUtil;
 import org.slf4j.Logger;

agents-audit/dest-es/src/main/java/org/apache/ranger/audit/destination/ElasticSearchAuditDestination.java

@@ -19,7 +19,7 @@
 
 package org.apache.ranger.audit.destination;
 
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.hadoop.thirdparty.com.google.common.util.concurrent.ThreadFactoryBuilder;
 import org.apache.http.HttpHost;
 import org.apache.http.auth.AuthSchemeProvider;

agents-audit/dest-hdfs/src/main/java/org/apache/ranger/audit/provider/hdfs/HdfsLogDestination.java

@@ -18,7 +18,7 @@
  */
 package org.apache.ranger.audit.provider.hdfs;
 
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FSDataOutputStream;
 import org.apache.hadoop.fs.FileSystem;

agents-audit/dest-solr/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java

@@ -19,7 +19,7 @@
 
 package org.apache.ranger.audit.destination;
 
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.ranger.audit.model.AuditEventBase;
 import org.apache.ranger.audit.model.AuthzAuditEvent;
 import org.apache.ranger.audit.provider.MiscUtil;