Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FI-2019: bump dependencies to address vulnerabilities #63

Merged
merged 1 commit into from
Aug 1, 2023

Conversation

dehall
Copy link
Contributor

@dehall dehall commented Jul 19, 2023

Summary

This PR makes the following changes to the app dependencies:

  1. Replaces slf4j-log4j12 with slf4j-reload4j to address potential security vulnerabilities in the nested log4j dependency. slf4j-log4j12 brought in log4j v1.2 which is very old (the major vulnerability from 2021 "Log4shell" was introduced in v2 so this was even older than that), and slf4j-reload4j instead brings in "reload4j" which is a fork of log4j 1.x intended to focus on addressing security issues rather than adding features. SLF4J has other log provider options but this one should be a drop-in replacement with no changes needed elsewhere.
  2. Removes a couple of the HL7 validator dependencies which don't need to be listed here; as the previous code comment suggested, gradle will fetch these automatically. (You can confirm via ./gradlew dependencies which shows the full dependency tree of the app) For some reason though okhttp is needed but does not get included automatically, I didn't look too deep into that.
  3. Bumps Google GSON to the latest version just to be proactive.

I also noticed spark is out of date, but the most recent release is also out of date and the library seems to be no longer maintained so I didn't bother: https://github.com/perwendel/spark
There are options to replace that if we decide we need to someday, for example https://github.com/javalin/javalin

Testing Guidance

The main impact, if any, should be to logging - make sure the app still logs to console as expected.
Still I would recommend confirming validation works both with and without a terminology server because issues with the dependencies may not present until they are called (even if it compiles)

@dehall dehall requested a review from Jammjammjamm July 19, 2023 21:41
@dehall dehall force-pushed the fi-2019-bump-deps branch 2 times, most recently from 13bd953 to 48a7f1b Compare July 25, 2023 12:30
@dehall dehall force-pushed the fi-2019-bump-deps branch from 48a7f1b to 9f2fce4 Compare August 1, 2023 15:10
@dehall dehall merged commit 9c57f2d into master Aug 1, 2023
@dehall dehall deleted the fi-2019-bump-deps branch August 1, 2023 15:20
@yunwwang
Copy link
Contributor

This PR fixes GitHub Issue (onc-healthit/onc-certification-g10-test-kit#444)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants