OpenO EMR Staging 02/17/2026: Security, Dependencies & Documentation + Additional recent commits with dependency upgrades and compilation error fixes#201
Merged
warrendennis merged 553 commits intoMar 25, 2026
Conversation
Close paragraph tag before unordered list and remove trailing paragraph close tag to fix invalid HTML structure. This ensures proper JavaDoc rendering. Co-authored-by: Michael Yingbull <yingbull@users.noreply.github.com>
- Remove incorrect 'encryption' term (SHA-1 is hashing, not encryption) - Remove misleading 'for security' phrase (SHA-1 is cryptographically weak) - Add 'legacy' qualifier to indicate this is not current best practice - Maintain accurate technical description without overstating security Co-authored-by: Michael Yingbull <yingbull@users.noreply.github.com>
…llPointerException The previous JavaDoc incorrectly stated the method returns null when password is not set. In reality, DatatypeConverter.printBase64Binary() throws NullPointerException on null input. Updated documentation to reflect actual behavior. Co-authored-by: Michael Yingbull <yingbull@users.noreply.github.com>
Change BeanUtilHlp.getPropertyValue() to return "null" string for null properties instead of empty string, matching Apache Commons BeanUtils behavior. This maintains compatibility with existing code like MSPReconcile.java that expects the string "null" for null values. Co-authored-by: Michael Yingbull <yingbull@users.noreply.github.com>
Complete migration from Apache Commons BeanComparator to modern Java 8+ Comparator API. This completes Phase 1 of commons-beanutils removal by eliminating all remaining Apache Commons BeanUtils dependencies. Changes: - Replaced BeanComparator with Comparator.comparing() in 9 files - Replaced ReverseComparator with .reversed() method - Removed all org.apache.commons.beanutils imports - Zero new dependencies (uses built-in Java Comparator) - Type-safe property references instead of string-based reflection Benefits: - Eliminates CVE exposure (CVE-2014-0114, CVE-2019-10086, CVE-2025-48734) - Better performance (no reflection overhead) - Compile-time safety (method references vs string property names) - More maintainable modern Java code Files migrated: 1. ProviderData.java (2 usages - formattedName sorting) 2. ProviderProperty2Action.java (2 usages - lastName sorting) 3. RptMeasurementTypesBeanHandler.java (2 usages - typeDisplayName, typeDescription) 4. RptLabReportData.java (1 usage - lastName sorting) 5. ThirdApptTimeReporter.java (1 usage - startTime reversed) 6. EctStyleSheetBeanHandler.java (1 usage - id sorting) 7. AppointmentStatusMgrImpl.java (1 usage - id sorting) 8. ProviderNameBeanHandler.java (1 usage - firstName sorting) 9. MsgMessengerGroupData.java (1 usage - lastName sorting) Related-to: #2202 Co-authored-by: Michael Yingbull <yingbull@users.noreply.github.com>
chore: update lock file for recent dependency updates.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
The ca.uhn.hapi:hapi:pom:1.0.1 parent POM was accidentally removed in a previous cleanup commit. This POM is required by hapi-base:1.0.1 which is still used in the project. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Split build step into push/PR variants. For PRs, pass sonar.pullrequest.* parameters to enable inline comments and quality gate status on PRs. Uses environment variables for safe handling of branch names. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
chore: sonarcube for CI
Contributor
Author
|
Note: This is a WIP PR and will most likely not be set ready for review until later on when needed, I will be updating the PR description if I find any issues at this point |
… taglib URI + logoutSSO fixes)
…dundant call with dependency changes
…g/02172026 Resolved Conflicts: src/main/java/ca/openosp/openo/commn/dao/EmailConfigDao.java src/main/java/ca/openosp/openo/commn/dao/EmailConfigDaoImpl.java src/main/webapp/oscarRx/SearchDrug3.jsp
… develop-staging/02172026
Contributor
Author
|
Note: This PR is now ready for review Additional changes added to this staging PR recently:Security Fixes
Bug Fixes
Merge
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This staging branch (
develop-staging/02172026) is cut fromdevelopand contains all changes merged since the base staging branch PR #188 (staging/01232026) was created. It includes 221 PRs with 320 non-merge commits across 523 files changed (+63,285 / -22,713 lines).Security Fixes & Vulnerability Patches (8 PRs)
1. PR #1836 — Imported provider display fix with OWASP hardening (3 commits)
Related Issue: #1663
2. PR #1843 — Upgrade netty vulnerable transitive dependencies (3 commits)
netty-bomRelated Issue: #1846
3. PR #1844 — Exclude Apache CXF vulnerable transitive dependencies (2 commits)
rhinotransitive dependency from Apache CXF (security vulnerability)mime4j-corefor security vulnerabilitytransports-jmstransitive dependency with security vulnerabilityRelated Issue: #1847
4. PR #2240 — XML file upload security + dom4j → JDOM2 migration (3 commits)
Related Issue: #2138
5. PR #2241 — Migrate Apache Commons BeanUtils to Spring BeanUtils — Phase 1 (3 commits)
BeanComparatorto JavaComparator.comparing()BeanUtilHlpnull handlingRelated Issue: #2202
6. PR #2199 — Replace jasypt 1.9.3 with Spring Security Crypto (5 commits)
jasyptencryption library with Spring Security Cryptodocs/migration/jasypt-to-spring-crypto.md)Related Issue: #2158
7. PR #1842 — Upgrade vulnerable HL7 FHIR core transitive dependencies to 6.4.0 (XXE vulnerability fix) (1 commit, manually updated in branch to avoid conflicts)
Related Issue: #1845
8. PR #2323 — Upgrade vulnerable jackson dependencies to 2.21.1 (1 commit + merge commit)
Related Issue: #2322
Pre-Jakarta Migration: Dependency Modernization (34 PRs)
Pre-Jakarta Version Upgrades (last javax-compatible versions)
9. PR #2172 — commons-dbcp 1.4 → commons-dbcp2 2.14.0 (3 commits)
commons-dbcptocommons-dbcp2maxWaittomaxWaitMillis, replaced deprecatedremoveAbandonedpropertiesRelated Issue: #1157
10. PR #2097 — HAPI FHIR 6.4.0 → 6.10.5 (3 commits)
Related Issue: #1150
11. PR #2134 — Apache CXF 3.5.11 → 3.6.9 (2 commits)
Related Issue: #1149
12. PR #2115 — JasperReports 6.20.1 → 6.21.7 (3 commits)
Related Issue: #1151
13. PR #2116 — Apache POI 5.0.0 → 5.5.1 (1 commit)
Related Issue: #1159
14. PR #2124 — Apache OpenJPA 3.0.0 → 3.2.2 (1 commit)
Related Issue: #1165
15. PR #2117 — Jersey Client 2.46 → 2.47 (1 commit)
Related Issue: #1154
16. PR #2120 — Jackson modules → 2.19.2 (2 commits)
jackson-module-jaxb-annotationsRelated Issue: #589
17. PR #2113 — Flying Saucer PDF 9.4.1 → 9.13.3 (1 commit)
Related Issue: #588
18. PR #2096 — taglibs:standard 1.1.2 → javax.servlet.jsp.jstl 1.2.5 (3 commits)
Related Issue: #1160
19. PR #2239 — cglib 2.2.2 → 3.3.0 (1 commit)
Related Issue: #2221
20. PR #2242 — displaytag 1.2 → hazendaz 2.9.0 (2 commits)
Related Issue: #2152
21. PR #2178 — 5 patch-level dependency updates (1 commit)
Related Issue: #2135
Library Migrations (unmaintained → maintained)
22. PR #2197 — ManageDocument2Action: jpedal → Apache PDFBox (3 commits)
Related Issue: #2184
23. PR #2200 — NioFileManagerImpl: jpedal → Apache PDFBox (2 commits)
Related Issue: #2183
24. PR #2238 — Doc2PDF: jtidy → Jsoup (3 commits)
Related Issue: #2154
25. PR #2185 — JSch → maintained fork (mwiede) (1 commit)
Related Issue: #2159
26. PR #2190 — commonmark Atlassian → org.commonmark 0.23.0 (1 commit)
Related Issue: #2157
27. PR #2191 — zxing 1.5 → com.google.zxing 3.5.3 (1 commit)
Related Issue: #2149
28. PR #2192 — commons-digester 1.8 → commons-digester3 3.2 (5 commits)
Related Issue: #2145
29. PR #2189 — commons-exec 1.3 → 1.4.0 (1 commit)
Related Issue: #2156
30. PR #2207 — janino 2.3.2 → org.codehaus.janino 3.1.12 (1 commit)
Related Issue: #2151
31. PR #2208 — Replace Xerces DOMParser with standard Java DocumentBuilderFactory (2 commits)
Related Issue: #2150
Dead Code & Unused Dependency Removal
32. PR #2204 — Remove dead ClinicalConnect/MedSeek integration (4 commits)
CC_EHR_LOADEDconditional and unreachable codeRelated Issue: #2167
33. PR #2114 — Remove dead Quartz dependency (1 commit)
Related Issue: #1156
34. PR #2123 — Remove unused javax.xml:jaxm-api (1 commit)
Related Issue: #1161
35. PR #2186 — Remove unused patientSiteVisit SNAPSHOT dependency (1 commit)
Related Issue: #2168
36. PR #2193 — Remove unused tagsoup and jersey-client dependencies (1 commit)
37. PR #2206 — Remove duplicate velocity:1.7 dependency (1 commit)
Related Issue: #2162
38. PR #2205 — Remove jpedal from pom.xml and local_repo (1 commit)
Related Issue: #2203
40. PR #1990 — Remove old libraries from localrepo, migrate jCharts (2 commits)
41. PR #2141 — Library cleanup: remove Jetty deps, final post-upgrade cleanup (3 commits)
42. PR #2201 — Fix JAXB runtime dependency for Java 21 (4 commits)
Related Issue: #2164
43. PR #2246 — Update lock file for dependency changes (1 commit)
Bug Fixes (2 PRs + Additional Fixes)
44. PR #1903 — Fix
show()call to null value causing console error (1 commit)show()call to a value that is never set45. PR #2214 — VT cleanup: dependency fixes, PHI removal from logs (7 commits)
Related Issue: #2213
Additional Fixes added to this staging branch to resolve errors
CI/CD & Automation (7 PRs)
46. PR #2251 — SonarCloud integration (8 commits)
47. PR #1988 — Workflow updates for staging, hotfix, and community branches (4 commits)
48. PR #2143 + PR #2179 — Issue triage workflow improvements (5 commits)
49–51. PRs #1916, #1918, #1920 — Claude workflow permissions (3 commits)
ghCLI in Claude workflowTest Improvements (4 PRs)
52. PR #1849 — Selenium upgrade + test refactoring (8 commits)
Thread.sleep()calls in favor of explicit waitsRelated Issue: #1848
53. PR #2058 — Demographic Manager unit tests (2 commits)
Related Issue: #1991
54. PR #1840 + PR #1841 — Claude hooks enhancements (13 commits)
JavaDoc Documentation (166 PRs)
Comprehensive JavaDoc was added across 166 classes spanning the following areas. Each PR corresponds to a single class documentation issue.
All 166 JavaDoc PR numbers
#1609, #1906, #1907, #1908, #1909, #1910, #1913, #1915, #1917, #1919,
#1921, #1922, #1923, #1925, #1926, #1927, #1928, #1929, #1930, #1931,
#1932, #1933, #1934, #1935, #1936, #1937, #1938, #1939, #1940, #1941,
#1942, #1943, #1944, #1945, #1946, #1947, #1948, #1949, #1950, #1951,
#1952, #1953, #1954, #1955, #1956, #1957, #1958, #1959, #1960, #1961,
#1962, #1963, #1964, #1965, #1966, #1967, #1968, #1969, #1970, #1971,
#1972, #1973, #1974, #1975, #1976, #1978, #1979, #1980, #1981, #1982,
#1983, #1984, #1985, #1986, #1992, #1993, #1994, #1995, #1996, #1997,
#1998, #1999, #2000, #2001, #2002, #2003, #2004, #2005, #2006, #2007,
#2008, #2009, #2010, #2011, #2012, #2013, #2014, #2015, #2016, #2017,
#2018, #2019, #2020, #2021, #2022, #2023, #2024, #2025, #2026, #2027,
#2028, #2029, #2030, #2031, #2032, #2033, #2034, #2035, #2036, #2037,
#2038, #2039, #2040, #2041, #2042, #2043, #2044, #2045, #2046, #2047,
#2048, #2049, #2050, #2051, #2052, #2053, #2054, #2055, #2056, #2057,
#2068, #2069, #2070, #2071, #2072, #2073, #2074, #2075, #2076, #2077,
#2078, #2079, #2080, #2081, #2082, #2083, #2084, #2085, #2086, #2087,
#2088, #2089, #2090, #2091, #2092, #2111
Managers & Services (~15 PRs)
DemographicManager,DemographicManagerImpl,EmailManager,EmailComposeManager,NoteManager,ProfessionalSpecialistsManager,ProgramProviderService,DemographicWs,DocumentAttachmentManager,DocumentAttachmentManagerImplWeb Actions (~15 PRs)
ERefer2Action,ManageInboxhub2Action,ManageEmails2Action,EmailCompose2Action,EmailSend2Action,EformLogError2Action,ProfessionalSpecialist2Action,DocumentPreview2Action,PrintDemoLabel2Action,PrintDemoChartLabel2Action,PrintDemoAddressLabel2Action,MoveMOHFiles2ActionBCAR / Antenatal Record Types (~55 PRs)
AR1,AR1Impl,AR2,AR2Impl,ARRecordImpl,ARRecordDocumentImpl,ARRecordSetImpl,ARRecordSetDocumentImpl,PatientInformation,PatientInformationImpl,PartnerInformation,PartnerInformationImpl,PregnancyHistory,PregnancyHistoryImpl,ObstetricalHistoryImpl,ObstetricalHistoryItemList,ObstetricalHistoryItemListImpl,CurrentPregnancyType,CurrentPregnancyTypeImpl,MedicalHistoryType,MedicalHistoryTypeImpl,MedicalHistoryAndPhysicalExam,MedicalHistoryAndPhysicalExamImpl,PhysicalExaminationType,PhysicalExaminationTypeImpl,InitialLaboratoryInvestigations,InitialLaboratoryInvestigationsImpl,AdditionalLabInvestigationsType,AdditionalLabInvestigationsTypeImpl,UltrasoundType,UltrasoundTypeImpl,DiscussionTopicsType,DiscussionTopicsTypeImpl,SubsequentVisitItemType,SubsequentVisitItemTypeImpl,PsychosocialType,PsychosocialTypeImpl,PrenatalGeneticScreeningType,PrenatalGeneticScreeningTypeImpl,RecommendedImmunoprophylaxisType,RecommendedImmunoprophylaxisTypeImpl,SignatureType,SignatureTypeImpl,NewbornCareImpl,RiskFactorItemTypeImpl,PractitionerInformationImpl,InfectiousDiseaseTypeImpl,CustomLabImpl,FamilyHistoryTypeImpl,EthnicValueType,EthnicValueTypeImpl,NormalAbnormalNullTypeImpl,DatingMethodsImpl,BirthAttendantsImpl,GenericHistoryTypeImpl,YesNoNullTypeImpl,ObjectFactoryCached/Integrator Models (~35 PRs)
CachedDemographic,CachedDemographicAllergy,CachedDemographicConsent,CachedDemographicDocument,CachedDemographicDocumentContents,CachedDemographicDrug,CachedDemographicForm,CachedDemographicHL7LabResult,CachedDemographicImage,CachedDemographicIssue,CachedDemographicLabResult,CachedDemographicNote,CachedDemographicNoteCompositePk,CachedDemographicPrevention,CachedAppointment,CachedBillingOnItem,CachedDxresearch,CachedEformData,CachedEformValue,CachedFacility,CachedMeasurement,CachedMeasurementExt,CachedMeasurementMap,CachedMeasurementType,CachedProgram,CachedProvider,CachedAdmissionCore Entities & DAOs (~15 PRs)
Facility,EventLog,ImportLog,NoteIssue,IssueGroup,Referral,ProviderCommunication,SiteUser,DemographicPushDate,DemographicLink,DemographicTransfer,SystemProperties,AbstractModel,FacilityIdStringCompositePk,FacilityIdIntegerCompositePk,FacilityIdLabResultCompositePk,FacilityIdDemographicIssueCompositePkEmail & Communication (~10 PRs)
EmailLog,EmailLogDao,EmailLogDaoImpl,EmailConfigDao,EmailConfigDaoImpl,EmailStatusResult,EmailNoteUtil,EmailSender,APISendGridEmailSender,SMTPEmailSenderWeb Services (~8 PRs)
DemographicWsService,ProviderWsService,ProgramWsService,FacilityWsService,HnrWsService,ReferralWsService,LabDataController,PrivateBillingControllerHealthcare Integration (~10 PRs)
EDTService,EDTDelegateImpl,HCValidationService,HCValidationImpl,EReferAttachmentDao,EReferAttachmentDaoImpl,FlowsheetDocument,FlowsheetDocumentImpl,GenericOAuth10aApi,HL7CreateFile,CaseManagementPrint,HomelessPopulationReportSecurity & Utility (~5 PRs)
PasswordHash,S21,S22,S23,PrivateBillingDAO,PrivateBillingModelNote: This PR has been merged with OpenOSP main and conflicts have been resolved (3 files: EmailConfigDao, EmailConfigDaoImpl, SearchDrug3.jsp)
Summary Statistics:
Test Plan
Build Verification
make install --jspc(compile all JSPs, no tests)mvn clean -DskipModernTests=true -DskipLegacyTests=true -T 1C package war:exploded -Pjspcmake install --run-tests(all modern + legacy tests)mvn clean -DskipModernTests=true -DskipLegacyTests=true -T 1C package war:exploded -Pmodern-tests -Ddependency.lock.filename=dependencies-lock-modern.json && mvn test -Pmodern-tests -DskipLegacyTests=true -Ddependency.lock.filename=dependencies-lock-modern.jsonmvn clean -DskipModernTests=true -DskipLegacyTests=true -T 1C package war:exploded && mvn test -DskipModernTests=trueHeavy Testing (highest risk of behavioral changes)
<display:table>tags render correctlySmoke Testing (drop-in upgrades, verify basic functionality)
- httpmime: BC Teleplan billing upload (BC-specific, may not be configured)
- itextpdf/xmlworker: Caseload > E-Chart > Consultations > open a consultation request > Print > verify PDF generates
- jsch: No UI trigger — background SFTP daemon
- jfreechart: Caseload > E-Chart > Measurements > click graph icon on a vital sign > verify chart renders
Breaking Changes
To be confirmed after testing. The following areas have the highest risk of behavioral changes and require heavier testing: