Skip to content

OpenO EMR Staging 02/17/2026: Security, Dependencies & Documentation + Additional recent commits with dependency upgrades and compilation error fixes#201

Merged
warrendennis merged 553 commits into
open-osp:mainfrom
openo-beta:develop-staging/02172026
Mar 25, 2026

Conversation

@LiamStanziani

@LiamStanziani LiamStanziani commented Feb 18, 2026

Copy link
Copy Markdown
Contributor

Summary

This staging branch (develop-staging/02172026) is cut from develop and contains all changes merged since the base staging branch PR #188 (staging/01232026) was created. It includes 221 PRs with 320 non-merge commits across 523 files changed (+63,285 / -22,713 lines).

Note: This branch builds on top of PR #188 (OpenO EMR 2026.1.0-RC1). The hotfix packages PR #199 and PR #200 were created separately against open-osp/Open-O:main — specific changes were cherry-picked into those hotfix branches independently and are not included in this staging branch. Those fixes will need to be reconciled separately.

GitHub Commit Count: GitHub displays 596 commits on this PR because PR #188 has not yet been merged to open-osp:main. Once PR #188 is merged, the commit count will drop to reflect only the 553 new commits (231 merge + 320 non-merge) documented below.


Security Fixes & Vulnerability Patches (8 PRs)

1. PR #1836 — Imported provider display fix with OWASP hardening (3 commits)

  • Fixed provider records not displaying correctly after import
  • Added OWASP encoding on all HTML attribute user inputs
  • Fixed NullPointerExceptions on provider search and update JSP pages
  • Created separate HTML render path when provider is null to avoid broken layouts

Related Issue: #1663

2. PR #1843 — Upgrade netty vulnerable transitive dependencies (3 commits)

  • Upgraded all Netty transitive dependencies to consistent version using netty-bom
  • Moved Netty version to properties variable for centralized management
  • Updated lock file

Related Issue: #1846

3. PR #1844 — Exclude Apache CXF vulnerable transitive dependencies (2 commits)

  • Excluded unused rhino transitive dependency from Apache CXF (security vulnerability)
  • Updated mime4j-core for security vulnerability
  • Excluded unused transports-jms transitive dependency with security vulnerability

Related Issue: #1847

4. PR #2240 — XML file upload security + dom4j → JDOM2 migration (3 commits)

  • Added critical security validations for XML file upload in ManageDashboard2Action
  • Migrated XML processing from dom4j to JDOM2

Related Issue: #2138

5. PR #2241 — Migrate Apache Commons BeanUtils to Spring BeanUtils — Phase 1 (3 commits)

  • Security migration from Apache Commons BeanUtils (CVE exposure) to Spring BeanUtils
  • Migrated BeanComparator to Java Comparator.comparing()
  • Restored backward compatibility in BeanUtilHlp null handling

Related Issue: #2202

6. PR #2199 — Replace jasypt 1.9.3 with Spring Security Crypto (5 commits)

  • Replaced jasypt encryption library with Spring Security Crypto
  • Added migration documentation (docs/migration/jasypt-to-spring-crypto.md)
  • Addressed code review feedback

Related Issue: #2158

7. PR #1842 — Upgrade vulnerable HL7 FHIR core transitive dependencies to 6.4.0 (XXE vulnerability fix) (1 commit, manually updated in branch to avoid conflicts)

  • Updated vulnerable transitive HL7 FHIR core dependencies

Related Issue: #1845

8. PR #2323 — Upgrade vulnerable jackson dependencies to 2.21.1 (1 commit + merge commit)

  • Updated vulnerable jackson dependencies

Related Issue: #2322


Pre-Jakarta Migration: Dependency Modernization (34 PRs)

This work is part of Epic #1110: Jakarta EE Migration Preparation. The strategy upgrades all dependencies to their last javax-compatible versions before the eventual javax.*jakarta.* namespace switch. Tracking issues: Phase 1 (#2249), Phase 1A (#2253), Phase 1B (#2254).

Note: Phase 1A (PR #2255) — 19 additional drop-in dependency updates + 6 Maven plugin upgrades — has been submitted but is not yet merged to develop and is therefore not included in this staging branch.

Pre-Jakarta Version Upgrades (last javax-compatible versions)

9. PR #2172 — commons-dbcp 1.4 → commons-dbcp2 2.14.0 (3 commits)

  • Major migration from legacy commons-dbcp to commons-dbcp2
  • Renamed maxWait to maxWaitMillis, replaced deprecated removeAbandoned properties

Related Issue: #1157

10. PR #2097 — HAPI FHIR 6.4.0 → 6.10.5 (3 commits)

  • Upgraded HAPI FHIR healthcare interoperability library
  • Updated dependency lock files

Related Issue: #1150

11. PR #2134 — Apache CXF 3.5.11 → 3.6.9 (2 commits)

  • Last javax-compatible version before CXF 4.x (Jakarta)
  • Upgraded web services framework for healthcare integrations

Related Issue: #1149

12. PR #2115 — JasperReports 6.20.1 → 6.21.7 (3 commits)

  • Last javax-compatible version before JasperReports 7.x (Jakarta)

Related Issue: #1151

13. PR #2116 — Apache POI 5.0.0 → 5.5.1 (1 commit)

  • Upgraded Apache POI spreadsheet/document library to latest 5.x release

Related Issue: #1159

14. PR #2124 — Apache OpenJPA 3.0.0 → 3.2.2 (1 commit)

  • Upgraded OpenJPA persistence library to latest 3.x release

Related Issue: #1165

15. PR #2117 — Jersey Client 2.46 → 2.47 (1 commit)

  • Last javax-compatible version before Jersey 3.x (Jakarta)

Related Issue: #1154

16. PR #2120 — Jackson modules → 2.19.2 (2 commits)

  • Upgraded Jackson JAX-RS JSON Provider and aligned all Jackson modules to 2.19.2
  • Added jackson-module-jaxb-annotations

Related Issue: #589

17. PR #2113 — Flying Saucer PDF 9.4.1 → 9.13.3 (1 commit)

  • Upgraded Flying Saucer XHTML/CSS renderer used for PDF generation

Related Issue: #588

18. PR #2096 — taglibs:standard 1.1.2 → javax.servlet.jsp.jstl 1.2.5 (3 commits)

  • Replaced legacy taglibs:standard with official javax.servlet.jsp.jstl implementation

Related Issue: #1160

19. PR #2239 — cglib 2.2.2 → 3.3.0 (1 commit)

  • Resolved ASM version conflicts

Related Issue: #2221

20. PR #2242 — displaytag 1.2 → hazendaz 2.9.0 (2 commits)

  • Replaced 17-year-old dead project with maintained fork

Related Issue: #2152

21. PR #2178 — 5 patch-level dependency updates (1 commit)

  • Updated httpmime 4.5.14, itextpdf 5.5.13.5, xmlworker 5.5.13.5, jsch 0.1.55, jfreechart 1.5.6

Related Issue: #2135

Library Migrations (unmaintained → maintained)

22. PR #2197 — ManageDocument2Action: jpedal → Apache PDFBox (3 commits)

  • Migrated PDF handling in document management from jpedal to PDFBox
  • Added page number validation and correct default page numbers

Related Issue: #2184

23. PR #2200 — NioFileManagerImpl: jpedal → Apache PDFBox (2 commits)

  • Migrated file manager PDF handling, added comprehensive error handling to PDF page rendering

Related Issue: #2183

24. PR #2238 — Doc2PDF: jtidy → Jsoup (3 commits)

  • Migrated HTML-to-PDF conversion from jtidy to Jsoup

Related Issue: #2154

25. PR #2185 — JSch → maintained fork (mwiede) (1 commit)

  • Migrated from abandoned JSch to actively maintained mwiede/jsch fork

Related Issue: #2159

26. PR #2190 — commonmark Atlassian → org.commonmark 0.23.0 (1 commit)

  • Migrated Markdown parser from Atlassian fork to upstream org.commonmark

Related Issue: #2157

27. PR #2191 — zxing 1.5 → com.google.zxing 3.5.3 (1 commit)

  • Migrated barcode library from legacy zxing to official Google ZXing

Related Issue: #2149

28. PR #2192 — commons-digester 1.8 → commons-digester3 3.2 (5 commits)

  • Excluded beanutils transitive dependency

Related Issue: #2145

29. PR #2189 — commons-exec 1.3 → 1.4.0 (1 commit)

  • Updated Apache Commons Exec process execution library

Related Issue: #2156

30. PR #2207 — janino 2.3.2 → org.codehaus.janino 3.1.12 (1 commit)

  • Migrated embedded Java compiler to actively maintained org.codehaus.janino

Related Issue: #2151

31. PR #2208 — Replace Xerces DOMParser with standard Java DocumentBuilderFactory (2 commits)

  • Removed external Xerces dependency by using JDK-built-in XML parsing in JDBCUtil

Related Issue: #2150

Dead Code & Unused Dependency Removal

32. PR #2204 — Remove dead ClinicalConnect/MedSeek integration (4 commits)

  • Removed CC_EHR_LOADED conditional and unreachable code
  • Fixed empty EHR widget after removal

Related Issue: #2167

33. PR #2114 — Remove dead Quartz dependency (1 commit)

  • Removed unused Quartz scheduler dependency from pom.xml

Related Issue: #1156

34. PR #2123 — Remove unused javax.xml:jaxm-api (1 commit)

  • Jakarta-prep: removes unused javax dependency to reduce migration surface

Related Issue: #1161

35. PR #2186 — Remove unused patientSiteVisit SNAPSHOT dependency (1 commit)

  • Removed unreferenced SNAPSHOT dependency that could cause build instability

Related Issue: #2168

36. PR #2193 — Remove unused tagsoup and jersey-client dependencies (1 commit)

  • Removed tagsoup HTML parser and jersey-client REST dependencies no longer referenced in codebase

37. PR #2206 — Remove duplicate velocity:1.7 dependency (1 commit)

  • Removed duplicate Velocity template engine entry from pom.xml

Related Issue: #2162

38. PR #2205 — Remove jpedal from pom.xml and local_repo (1 commit)

  • Cleaned up jpedal dependency and local repository files after migration to PDFBox

Related Issue: #2203

40. PR #1990 — Remove old libraries from localrepo, migrate jCharts (2 commits)

  • Removed unused libraries from local Maven repository
  • Migrated jCharts to matching version available on Maven Central

41. PR #2141 — Library cleanup: remove Jetty deps, final post-upgrade cleanup (3 commits)

  • Removed Jetty dependencies (OpenO uses Tomcat, not Jetty)
  • Final cleanup of dependencies and resolved javadoc errors after library updates

42. PR #2201 — Fix JAXB runtime dependency for Java 21 (4 commits)

  • Coordinated JAXB dependencies to 2.3.9 for Java 21 compatibility

Related Issue: #2164

43. PR #2246 — Update lock file for dependency changes (1 commit)

  • Regenerated Maven dependency lock file to reflect all dependency updates in this staging cycle

Bug Fixes (2 PRs + Additional Fixes)

44. PR #1903 — Fix show() call to null value causing console error (1 commit)

  • Removed show() call to a value that is never set

45. PR #2214 — VT cleanup: dependency fixes, PHI removal from logs (7 commits)

  • Resolved JSch dependency conflict, upgraded xercesImpl
  • Removed PHI from log statements
  • Sanitized formName in logs, removed unused code
  • Fixed DashboardManagerEncryptionUnitTest to extend OpenOUnitTestBase
  • Re-added missing required deps (older janino for Drools support)

Related Issue: #2213

Additional Fixes added to this staging branch to resolve errors

  • Fixed 98 JSP compilation errors from displaytag hazendaz 2.9.0 migration (removed deprecated -el TLD URI)
  • Fixed unreachable code in logoutSSO.jsp causing a JSP compilation error
  • Fixed PreviewContent.jsp commons-lang 2 → OWASP Encode migration (upstream merge compatibility)

CI/CD & Automation (7 PRs)

46. PR #2251 — SonarCloud integration (8 commits)

  • Set up SonarCloud code quality scanning
  • Added PR decorators for inline code review feedback
  • Configured for existing build containers

47. PR #1988 — Workflow updates for staging, hotfix, and community branches (4 commits)

  • Updated dependency-review, dependency-submission, and maven-project workflows
  • Cleaned up non-working workflows

48. PR #2143 + PR #2179 — Issue triage workflow improvements (5 commits)

  • Auto-set type/project/status for new issue tickets
  • Added duplicate detection and conditional field updates

49–51. PRs #1916, #1918, #1920 — Claude workflow permissions (3 commits)

  • Added GITHUB_TOKEN sandboxed permissions for gh CLI in Claude workflow

Test Improvements (4 PRs)

52. PR #1849 — Selenium upgrade + test refactoring (8 commits)

  • Upgraded Selenium to latest version, removed unused WebDriverManager
  • Migrated tests to headless Chrome (no hardcoded browser path)
  • Refactored all Selenium tests to use a base class / helper methods
  • Added env var overrides for test credentials
  • Removed Thread.sleep() calls in favor of explicit waits
  • Removed logging of successful login URL

Related Issue: #1848

53. PR #2058 — Demographic Manager unit tests (2 commits)

  • Added comprehensive DemographicManager unit tests to modern test framework

Related Issue: #1991

54. PR #1840 + PR #1841 — Claude hooks enhancements (13 commits)

  • Improved OWASP encoding validator: reduced false positives, simplified PrintWriter pattern detection
  • Fixed BDD test naming examples to conform to Java best practices

JavaDoc Documentation (166 PRs)

Comprehensive JavaDoc was added across 166 classes spanning the following areas. Each PR corresponds to a single class documentation issue.

All 166 JavaDoc PR numbers

#1609, #1906, #1907, #1908, #1909, #1910, #1913, #1915, #1917, #1919,
#1921, #1922, #1923, #1925, #1926, #1927, #1928, #1929, #1930, #1931,
#1932, #1933, #1934, #1935, #1936, #1937, #1938, #1939, #1940, #1941,
#1942, #1943, #1944, #1945, #1946, #1947, #1948, #1949, #1950, #1951,
#1952, #1953, #1954, #1955, #1956, #1957, #1958, #1959, #1960, #1961,
#1962, #1963, #1964, #1965, #1966, #1967, #1968, #1969, #1970, #1971,
#1972, #1973, #1974, #1975, #1976, #1978, #1979, #1980, #1981, #1982,
#1983, #1984, #1985, #1986, #1992, #1993, #1994, #1995, #1996, #1997,
#1998, #1999, #2000, #2001, #2002, #2003, #2004, #2005, #2006, #2007,
#2008, #2009, #2010, #2011, #2012, #2013, #2014, #2015, #2016, #2017,
#2018, #2019, #2020, #2021, #2022, #2023, #2024, #2025, #2026, #2027,
#2028, #2029, #2030, #2031, #2032, #2033, #2034, #2035, #2036, #2037,
#2038, #2039, #2040, #2041, #2042, #2043, #2044, #2045, #2046, #2047,
#2048, #2049, #2050, #2051, #2052, #2053, #2054, #2055, #2056, #2057,
#2068, #2069, #2070, #2071, #2072, #2073, #2074, #2075, #2076, #2077,
#2078, #2079, #2080, #2081, #2082, #2083, #2084, #2085, #2086, #2087,
#2088, #2089, #2090, #2091, #2092, #2111

Managers & Services (~15 PRs)

DemographicManager, DemographicManagerImpl, EmailManager, EmailComposeManager, NoteManager, ProfessionalSpecialistsManager, ProgramProviderService, DemographicWs, DocumentAttachmentManager, DocumentAttachmentManagerImpl

Web Actions (~15 PRs)

ERefer2Action, ManageInboxhub2Action, ManageEmails2Action, EmailCompose2Action, EmailSend2Action, EformLogError2Action, ProfessionalSpecialist2Action, DocumentPreview2Action, PrintDemoLabel2Action, PrintDemoChartLabel2Action, PrintDemoAddressLabel2Action, MoveMOHFiles2Action

BCAR / Antenatal Record Types (~55 PRs)

AR1, AR1Impl, AR2, AR2Impl, ARRecordImpl, ARRecordDocumentImpl, ARRecordSetImpl, ARRecordSetDocumentImpl, PatientInformation, PatientInformationImpl, PartnerInformation, PartnerInformationImpl, PregnancyHistory, PregnancyHistoryImpl, ObstetricalHistoryImpl, ObstetricalHistoryItemList, ObstetricalHistoryItemListImpl, CurrentPregnancyType, CurrentPregnancyTypeImpl, MedicalHistoryType, MedicalHistoryTypeImpl, MedicalHistoryAndPhysicalExam, MedicalHistoryAndPhysicalExamImpl, PhysicalExaminationType, PhysicalExaminationTypeImpl, InitialLaboratoryInvestigations, InitialLaboratoryInvestigationsImpl, AdditionalLabInvestigationsType, AdditionalLabInvestigationsTypeImpl, UltrasoundType, UltrasoundTypeImpl, DiscussionTopicsType, DiscussionTopicsTypeImpl, SubsequentVisitItemType, SubsequentVisitItemTypeImpl, PsychosocialType, PsychosocialTypeImpl, PrenatalGeneticScreeningType, PrenatalGeneticScreeningTypeImpl, RecommendedImmunoprophylaxisType, RecommendedImmunoprophylaxisTypeImpl, SignatureType, SignatureTypeImpl, NewbornCareImpl, RiskFactorItemTypeImpl, PractitionerInformationImpl, InfectiousDiseaseTypeImpl, CustomLabImpl, FamilyHistoryTypeImpl, EthnicValueType, EthnicValueTypeImpl, NormalAbnormalNullTypeImpl, DatingMethodsImpl, BirthAttendantsImpl, GenericHistoryTypeImpl, YesNoNullTypeImpl, ObjectFactory

Cached/Integrator Models (~35 PRs)

CachedDemographic, CachedDemographicAllergy, CachedDemographicConsent, CachedDemographicDocument, CachedDemographicDocumentContents, CachedDemographicDrug, CachedDemographicForm, CachedDemographicHL7LabResult, CachedDemographicImage, CachedDemographicIssue, CachedDemographicLabResult, CachedDemographicNote, CachedDemographicNoteCompositePk, CachedDemographicPrevention, CachedAppointment, CachedBillingOnItem, CachedDxresearch, CachedEformData, CachedEformValue, CachedFacility, CachedMeasurement, CachedMeasurementExt, CachedMeasurementMap, CachedMeasurementType, CachedProgram, CachedProvider, CachedAdmission

Core Entities & DAOs (~15 PRs)

Facility, EventLog, ImportLog, NoteIssue, IssueGroup, Referral, ProviderCommunication, SiteUser, DemographicPushDate, DemographicLink, DemographicTransfer, SystemProperties, AbstractModel, FacilityIdStringCompositePk, FacilityIdIntegerCompositePk, FacilityIdLabResultCompositePk, FacilityIdDemographicIssueCompositePk

Email & Communication (~10 PRs)

EmailLog, EmailLogDao, EmailLogDaoImpl, EmailConfigDao, EmailConfigDaoImpl, EmailStatusResult, EmailNoteUtil, EmailSender, APISendGridEmailSender, SMTPEmailSender

Web Services (~8 PRs)

DemographicWsService, ProviderWsService, ProgramWsService, FacilityWsService, HnrWsService, ReferralWsService, LabDataController, PrivateBillingController

Healthcare Integration (~10 PRs)

EDTService, EDTDelegateImpl, HCValidationService, HCValidationImpl, EReferAttachmentDao, EReferAttachmentDaoImpl, FlowsheetDocument, FlowsheetDocumentImpl, GenericOAuth10aApi, HL7CreateFile, CaseManagementPrint, HomelessPopulationReport

Security & Utility (~5 PRs)

PasswordHash, S21, S22, S23, PrivateBillingDAO, PrivateBillingModel


Note: This PR has been merged with OpenOSP main and conflicts have been resolved (3 files: EmailConfigDao, EmailConfigDaoImpl, SearchDrug3.jsp)

Summary Statistics:

  • Total PRs merged: 221
  • Total non-merge commits: 320
  • Files changed: 523
  • Lines added: 63,285
  • Lines removed: 22,713
  • Breakdown:
    • Security fixes & vulnerability patches: 8 PRs
    • Pre-Jakarta dependency modernization: 34 PRs (part of Epic #1110)
    • Bug fixes: 2 PRs + Additonal error fixes on this branch
    • CI/CD & automation: 7 PRs
    • Test improvements: 4 PRs
    • JavaDoc documentation: 166 PRs
  • Pending (not in this staging): Phase 1A (PR #2255) — 19 drop-in dependency updates + 6 plugin upgrades

Test Plan

Build Verification

  • JSP compilation: make install --jspc (compile all JSPs, no tests)
    • Maven: mvn clean -DskipModernTests=true -DskipLegacyTests=true -T 1C package war:exploded -Pjspc
  • Build passes: make install --run-tests (all modern + legacy tests)
    • Maven (modern): mvn clean -DskipModernTests=true -DskipLegacyTests=true -T 1C package war:exploded -Pmodern-tests -Ddependency.lock.filename=dependencies-lock-modern.json && mvn test -Pmodern-tests -DskipLegacyTests=true -Ddependency.lock.filename=dependencies-lock-modern.json
    • Maven (legacy): mvn clean -DskipModernTests=true -DskipLegacyTests=true -T 1C package war:exploded && mvn test -DskipModernTests=true
  • Dependency resolution: Maven build completes without missing/conflicting dependencies (34 dependency PRs)

Heavy Testing (highest risk of behavioral changes)

  • #1149 — Apache CXF 3.5.11 → 3.6.9: Web services, SOAP endpoints, CXF-based integrations
  • UI Path: No direct UI trigger in default configuration. CXF powers external REST APIs (/ws/services/), Integrator, fax, and provincial integrations (OLIS, HRM, MCEDT) — all disabled by default. Verify app starts without CXF initialization errors in server log.
  • #2138 — Library cleanup & dependency consolidation: Verify no runtime ClassNotFoundException after removing 8-10 unused JARs
  • UI Path: Caseload > open E-Chart > check server log for ClassNotFoundException
  • #2152 — displaytag 1.2 → hazendaz 2.9.0: All 28 JSPs using <display:table> tags render correctly
  • UI Path: Caseload > E-Chart > Consultations > verify list table renders with sorting and pagination
  • #2202 — Commons BeanUtils → Spring BeanUtils: Sort/compare operations, table sorting, bean property copying
  • UI Path: Demographic search > view results > click column headers (Last Name, First Name, DOB) > verify sort order changes correctly
  • #2213 — Vascular Tracker OSDSF removal: VT form loads and saves without compile errors or missing references
  • UI Path: Caseload > E-Chart > Forms > Vascular Tracker > form loads and saves

Smoke Testing (drop-in upgrades, verify basic functionality)

  • #589 — Jackson modules → 2.19.2: JSON serialization/deserialization across REST APIs
  • UI Path: Caseload view > verify data loads correctly
  • #588 — Flying Saucer PDF 9.4.1 → 9.13.3: PDF generation and rendering
  • UI Path: Caseload > E-Chart > eForms > open an eForm > fill in > click "Add to Documents" > verify PDF generates
  • #1150 — HAPI FHIR 6.4.0 → 6.10.5: Basic FHIR operations
  • UI Path: Caseload > E-Chart > Preventions > verify immunization records load
  • #1151 — JasperReports 6.20.1 → 6.21.7: Report generation
  • UI Path: Caseload > E-Chart > Forms > Rourke 2020 > Print > verify PDF downloads
  • #1154 — Jersey Client 2.46 → 2.47: REST client operations
  • UI Path: No direct UI trigger, zero production code imports found. Verify app starts without errors.
  • #1156 — Quartz dependency removal: Scheduled jobs still function
  • UI Path: No direct UI trigger — Quartz was removed and replaced by Spring scheduler. Verify scheduled background jobs still run (e.g., fax scheduler in applicationContextFax.xml). Verify app starts without scheduler errors in server log.
  • #1157 — commons-dbcp → commons-dbcp2: Database connections, pool behavior
  • UI Path: No direct UI trigger — connection pooling runs automatically. Verify app starts and pages load normally under sustained use.
  • #1159 — Apache POI 5.0.0 → 5.5.1: Spreadsheet/document operations
  • UI Path: Report > Report by Template > generate and export a report as XLS
  • #1160 — taglibs:standard → javax.servlet.jsp.jstl 1.2.5: JSP pages render correctly
  • UI Path: Any JSP page renders without errors
  • #1161 — Remove unused javax.xml:jaxm-api: No runtime SOAP/XML breakage
  • UI Path: No direct UI trigger — zero production code imports found. Verify app starts without errors.
  • #1165 — Apache OpenJPA 3.0.0 → 3.2.2: Persistence operations
  • UI Path: No direct UI trigger in default config — used only by CAISI Integrator module (disabled by default). Verify app starts without errors.
  • #1991 — DemographicManager unit tests: Verify test suite passes
  • UI Path: No UI path — run make install --run-unit-tests and verify test suite passes.
  • #2135 — 5 patch-level dependency updates: General stability
  • UI Paths:
    - httpmime: BC Teleplan billing upload (BC-specific, may not be configured)
    - itextpdf/xmlworker: Caseload > E-Chart > Consultations > open a consultation request > Print > verify PDF generates
    - jsch: No UI trigger — background SFTP daemon
    - jfreechart: Caseload > E-Chart > Measurements > click graph icon on a vital sign > verify chart renders
  • #2154 — jtidy → Jsoup: HTML-to-PDF conversion
  • UI Path: Schedule > Msg > "Compose Message" > select a patient > "Attach Demographic" button > check a document type > "Preview" or "Attach Document" > verify PDF renders
  • #2221 — cglib 2.2.2 → 3.3.0: No ASM conflicts, Spring proxying works
  • UI Path: App starts successfully (Spring bean proxying works, if broken, app won't load)

Breaking Changes

To be confirmed after testing. The following areas have the highest risk of behavioral changes and require heavier testing:

  • #1149 — Apache CXF 3.5.11 → 3.6.9 (web services framework upgrade)
  • #2138 — Library cleanup & dependency consolidation (8-10 JARs removed)
  • #2152 — displaytag 1.2 → hazendaz 2.9.0 (28 JSPs affected)
  • #2202 — Commons BeanUtils → Spring BeanUtils (bean comparison/sorting)
  • #2213 — Vascular Tracker OSDSF integration removal

yingbull and others added 30 commits January 24, 2026 22:12
Close paragraph tag before unordered list and remove trailing
paragraph close tag to fix invalid HTML structure. This ensures
proper JavaDoc rendering.

Co-authored-by: Michael Yingbull <yingbull@users.noreply.github.com>
- Remove incorrect 'encryption' term (SHA-1 is hashing, not encryption)
- Remove misleading 'for security' phrase (SHA-1 is cryptographically weak)
- Add 'legacy' qualifier to indicate this is not current best practice
- Maintain accurate technical description without overstating security

Co-authored-by: Michael Yingbull <yingbull@users.noreply.github.com>
…llPointerException

The previous JavaDoc incorrectly stated the method returns null when password
is not set. In reality, DatatypeConverter.printBase64Binary() throws
NullPointerException on null input. Updated documentation to reflect actual
behavior.

Co-authored-by: Michael Yingbull <yingbull@users.noreply.github.com>
github-actions Bot and others added 14 commits January 30, 2026 01:51
Change BeanUtilHlp.getPropertyValue() to return "null" string for null
properties instead of empty string, matching Apache Commons BeanUtils
behavior. This maintains compatibility with existing code like
MSPReconcile.java that expects the string "null" for null values.

Co-authored-by: Michael Yingbull <yingbull@users.noreply.github.com>
Complete migration from Apache Commons BeanComparator to modern Java 8+
Comparator API. This completes Phase 1 of commons-beanutils removal by
eliminating all remaining Apache Commons BeanUtils dependencies.

Changes:
- Replaced BeanComparator with Comparator.comparing() in 9 files
- Replaced ReverseComparator with .reversed() method
- Removed all org.apache.commons.beanutils imports
- Zero new dependencies (uses built-in Java Comparator)
- Type-safe property references instead of string-based reflection

Benefits:
- Eliminates CVE exposure (CVE-2014-0114, CVE-2019-10086, CVE-2025-48734)
- Better performance (no reflection overhead)
- Compile-time safety (method references vs string property names)
- More maintainable modern Java code

Files migrated:
1. ProviderData.java (2 usages - formattedName sorting)
2. ProviderProperty2Action.java (2 usages - lastName sorting)
3. RptMeasurementTypesBeanHandler.java (2 usages - typeDisplayName, typeDescription)
4. RptLabReportData.java (1 usage - lastName sorting)
5. ThirdApptTimeReporter.java (1 usage - startTime reversed)
6. EctStyleSheetBeanHandler.java (1 usage - id sorting)
7. AppointmentStatusMgrImpl.java (1 usage - id sorting)
8. ProviderNameBeanHandler.java (1 usage - firstName sorting)
9. MsgMessengerGroupData.java (1 usage - lastName sorting)

Related-to: #2202

Co-authored-by: Michael Yingbull <yingbull@users.noreply.github.com>
chore: update lock file for recent dependency updates.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
The ca.uhn.hapi:hapi:pom:1.0.1 parent POM was accidentally removed
in a previous cleanup commit. This POM is required by hapi-base:1.0.1
which is still used in the project.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Split build step into push/PR variants. For PRs, pass sonar.pullrequest.*
parameters to enable inline comments and quality gate status on PRs.

Uses environment variables for safe handling of branch names.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@LiamStanziani

Copy link
Copy Markdown
Contributor Author

Note: This is a WIP PR and will most likely not be set ready for review until later on when needed, I will be updating the PR description if I find any issues at this point

@LiamStanziani LiamStanziani changed the title OpenO EMR Staging 02/17/2026: Security, Dependencies & Documentation [WIP] OpenO EMR Staging 02/17/2026: Security, Dependencies & Documentation Feb 18, 2026
sebastian-j-ibanez and others added 6 commits March 6, 2026 15:50
…g/02172026

Resolved Conflicts:
	src/main/java/ca/openosp/openo/commn/dao/EmailConfigDao.java
	src/main/java/ca/openosp/openo/commn/dao/EmailConfigDaoImpl.java
	src/main/webapp/oscarRx/SearchDrug3.jsp
@LiamStanziani LiamStanziani changed the title [WIP] OpenO EMR Staging 02/17/2026: Security, Dependencies & Documentation [WIP] OpenO EMR Staging 02/17/2026: Security, Dependencies & Documentation [Additional commits added with dependency upgrades and compilation error fixes] Mar 25, 2026
@LiamStanziani LiamStanziani changed the title [WIP] OpenO EMR Staging 02/17/2026: Security, Dependencies & Documentation [Additional commits added with dependency upgrades and compilation error fixes] [WIP] OpenO EMR Staging 02/17/2026: Security, Dependencies & Documentation + Additional recent commits with dependency upgrades and compilation error fixes Mar 25, 2026
@LiamStanziani

LiamStanziani commented Mar 25, 2026

Copy link
Copy Markdown
Contributor Author

Note: This PR is now ready for review


Additional changes added to this staging PR recently:

Security Fixes

  • Upgraded HL7 FHIR core transitive dependencies to 6.4.0 (XXE vulnerability fix, from PR #1842)
  • Upgraded Jackson dependencies to 2.21.1 (high severity vulnerability fix, from PR #2323)

Bug Fixes

  • Fixed 98 JSP compilation errors from displaytag hazendaz 2.9.0 migration (removed deprecated -el TLD URI)
  • Consolidated display-el prefix to display in 2 JSPs (sitesAdmin.jsp, service_restrictions.jsp)
  • Fixed unreachable code JSP compilation error in logoutSSO.jsp
  • Fixed PreviewContent.jsp commons-lang → OWASP Encode.forHtml() migration (upstream merge compatibility)

Merge

  • Merged OpenOSP main changes to resolve 3 merge conflicts (EmailConfigDao, EmailConfigDaoImpl, SearchDrug3.jsp)

@LiamStanziani LiamStanziani changed the title [WIP] OpenO EMR Staging 02/17/2026: Security, Dependencies & Documentation + Additional recent commits with dependency upgrades and compilation error fixes OpenO EMR Staging 02/17/2026: Security, Dependencies & Documentation + Additional recent commits with dependency upgrades and compilation error fixes Mar 25, 2026
@LiamStanziani LiamStanziani marked this pull request as ready for review March 25, 2026 14:00
@warrendennis warrendennis merged commit 2080451 into open-osp:main Mar 25, 2026
10 of 11 checks passed
@warrendennis warrendennis deleted the develop-staging/02172026 branch March 25, 2026 17:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants