Blocker Description
I don't believe this affects us from a security perspective directly, however it's something we should clean up in our next release.
Afaict the only commons we use for shipping/production code is commons-cli. Our two release branches, 3.4 and 3.5, neither of them use commons-collections. I looked at the binary release artifact and it doesn't include the commons collections jar.
We do have a test that uses CollectionsUtils, but no shipping code. I downloaded our 3.4 and 3.5 artifacts, this is all I see:
phunt:~/Downloads/zd/5/zookeeper-3.5.1-alpha$ grep -R "org.apache.commons.collections" .
./src/java/test/org/apache/zookeeper/RemoveWatchesTest.java:import org.apache.commons.collections.CollectionUtils;
phunt:~/Downloads/zd/5/zookeeper-3.5.1-alpha$
Also in our ivy file we have
<dependency org="org.apache.rat" name="apache-rat-tasks"
rev="0.10" conf="releaseaudit->default"/>
<dependency org="commons-lang" name="commons-lang"
rev="2.6" conf="releaseaudit->default"/>
<dependency org="commons-collections" name="commons-collections"
rev="3.2.1" conf="releaseaudit->default"/>
So commons-collections is pulled in - but only for the release audit, which is something we do as a build verification activity but not part of the product itself.