[Task]: Upgrade Apache Commons Lang from 2.x to 3.x Due to Reported CVE

[asopapiyush]

Overview
Our project currently uses Apache Commons Lang 2.x, which has an active CVE reported against the ClassUtils.getClass() API. This vulnerability exposes the project to potential security risks related to uncontrolled or unsafe class loading. To ensure the security posture of the application, we aim to upgrade to Apache Commons Lang 3.x, where these issues have been addressed.
However, this migration is not straightforward, as Commons Lang 3 introduces major breaking changes, including package restructures (org.apache.commons.lang → org.apache.commons.lang3), method deprecations, behavioral changes, and API incompatibility.
This task involves refactoring the codebase to support Commons Lang 3.x while ensuring functional parity.

⚠️ Problem Summary

Current version: Apache Commons Lang 2.x
Vulnerable API: ClassUtils.getClass()
Reported issue: Vulnerability in class-loading mechanism within Lang 2.x
Required action: Upgrade dependency to Lang 3.x

🛑 Why Direct Upgrade Is Not Possible
Apache Commons Lang 3 is not a drop-in replacement. Key differences:

1. Package Structure Changes

Old: org.apache.commons.lang.*
New: org.apache.commons.lang3.*

This requires updating import statements across the entire codebase.
2. API Changes and Removals
Certain APIs have been:

Renamed
Moved
Behaviorally changed
Removed entirely

Example:
ClassUtils.getClass() in Lang 2.x has different overloads and exception handling behavior in Lang 3.x.
3. Utility Classes Restructured
Some utilities have been:

Split into specialized classes
Modified to avoid ambiguous or unsafe functionality

🎯 Goal of This Task
Refactor the project to fully support Apache Commons Lang 3.x while preserving all current functionality and ensuring compatibility.

🧩 Scope of Work
A contributor picking up this task will need to:

1. Upgrade Dependency
   Modify build files (Maven/Gradle/etc.) to use:
   org.apache.commons:commons-lang3

2. Update All Import Statements
   Replace all:
   org.apache.commons.lang.*

with:
org.apache.commons.lang3.*

3. Refactor Code for API Differences
   Review and update incompatible APIs, including:

ClassUtils
StringUtils
ObjectUtils
ArrayUtils
NumberUtils
Any deprecated/unavailable methods

Document changes in code comments where behavior is not identical.
4. Replace or Rewrite Unsafe Patterns
Especially those involving:

Reflection
Class loading
Serialization utilities

5. Add Unit Tests for Affected Areas
   Ensure existing behavior is preserved by:

Running all existing tests
Adding new tests where API changes affect logic

6. Perform End‑to‑End Validation
   Verify application startup, runtime flows, and integration points.

📝 Acceptance Criteria
A successful contribution must meet all the following:

Project builds successfully with Apache Commons Lang 3.x
All imports updated to org.apache.commons.lang3
All incompatible APIs refactored with equivalent logic
No regressions in behavior (validated through tests)
Build passes all unit and integration tests
No usage of deprecated or unsafe reflection methods
Documentation updated for:

Migration notes
API differences encountered
Any non-trivial refactoring

Issue Priority

Priority: 2

Issue Component

Component: Other

[asopapiyush]

@mattcasters
I would like to take this issue, can you please help me assign and if we can discuss this.

[hansva]

You can use [.]take-issue to assign a ticket to yourself (remove the []).

[hansva]

linked ticket: #4743

[asopapiyush]

.take-issue