According to a quick scan of autorelease, beanutils is used by aaa, vtn, tsdr, and odlparent itself.
We do have a system/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar in odlparent's karaf empty, and some distributions.
As far as I can see from a first quick grep in odlparent, this (commons-beanutils) does not appear in our <dependencyManagement>, where it should be if any projects uses this as a regular <dependency>. Raised https://git.opendaylight.org/gerrit/#/c/61752/ to add it, and https://git.opendaylight.org/gerrit/#/c/61753/ for aaa.
It does however also appear in the karaf-paxweb.patch pax-web-features-4.3.0-features.xml ... have attempted to change that, but failed - maybe just a mistake in the patch, or something bigger... I'll let someone else pick that up? 
Or that will just get sorted out with the next Karaf upgrade, if they keep bumping their dep to pax-web, if they keep bumping 3rd party deps to commons.
vtn and tsdr I don't care about, and won't have the spare cycles to deal with. They should do sth similar like c/61753.
> also appear in the karaf-paxweb.patch pax-web-features-4.3.0-features.xml
which https://git.opendaylight.org/gerrit/#/c/61760/ fixes - except that it completely irrelevant for us here - it only fixes up paxweb's pax-jsf-support feature, which we do not use.
(In reply to Michael Vorburger from comment #1)
> According to a quick scan of autorelease, beanutils is used by aaa, vtn,
> tsdr, and odlparent itself.
Very quick scan . beanutils ends up being referred to in order to fix various issues with transitive dependencies, there are no code dependencies on it. Ideally I wouldn’t want projects relying on beanutils, so I don’t want to have it in dependency management.
I humbly suggest https://git.opendaylight.org/gerrit/61844 instead (on AAA only).
> I humbly suggest https://git.opendaylight.org/gerrit/61844 instead (on AAA only).
I don't want to stand in the way of doing it like this, so don't mind abandoning my proposed changes to odlparent and aaa re. this - BUT these only accept aaa, and not the other projects using commons-beanutils... which is fine for me and those who pay the roof over my head but I wanted to spell it out here, so someone interested in other projects could follow-up with those, if needed.
(In reply to Michael Vorburger from comment #5)
> > I humbly suggest https://git.opendaylight.org/gerrit/61844 instead (on AAA only).
>
> I don't want to stand in the way of doing it like this, so don't mind
> abandoning my proposed changes to odlparent and aaa re. this - BUT these
> only accept aaa, and not the other projects using commons-beanutils... which
> is fine for me and those who pay the roof over my head but I wanted to
> spell it out here, so someone interested in other projects could follow-up
> with those, if needed.
No other project directly uses beanutils.
> No other project directly uses beanutils.
OK, perfect!
>> According to a quick scan of autorelease, beanutils is used by aaa, vtn,
>> tsdr, and odlparent itself.
> Very quick scan . beanutils ends up being referred to in order to fix various issues with transitive dependencies, there are no code dependencies on it.
Yup; indeed the hit I saw in vtn on grep is not a dependency, tsdr's features/odl-tsdr-hbase/src/main/feature/feature.xml used a mvn:org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-beanutils/1.8.3_1 - but tsdr is no longer in the release - so forget about it)