Skip to content

Upgrades commons libraries to fix security vulnerabilities #219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
NicoPiel wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Upgrades commons libraries to fix security vulnerabilities #219

NicoPiel wants to merge 5 commits into from

Conversation

@NicoPiel
Copy link
Contributor

@NicoPiel NicoPiel commented Dec 5, 2025
edited
Loading

Updates several Apache Commons dependencies across modules to newer patch releases to fix security vulnerabilities.

Fixes #218

Notably upgrades
commons-lang3 (3.13.0 → 3.18.0),
commons-beanutils (1.9.4 → 1.11.0) and
commons-configuration2 (2.8.0 → 2.10.1), replacing old JARs with the updated artifacts.

@NicoPiel
Upgrades commons libraries
c25905c 
Updates several Apache Commons dependencies across modules to newer patch releases to fix security vulnerabilities.

Fixes OpenIntegrationEngine#218

Notably upgrades commons-lang3 (3.13.0 → 3.18.0), commons-beanutils (1.9.4 → 1.11.0) and commons-configuration2 (2.8.0 → 2.10.1), replacing old JARs with the updated artifacts.

Signed-off-by: Nico Piel <nico.piel@hotmail.de>
tonygermano
tonygermano requested changes Dec 5, 2025
View reviewed changes
Copy link
Member

@tonygermano tonygermano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are references that need to be updated in /server/build.xml and /manager/ant-build.xml. Some of these libraries get added to the manifests of the launcher jars. I'm less concerned about /manager since we don't ship that, and it's probably going to be rewritten at some point, but since you are already updating the jars, you should probably update the build file to match.

Also, the /generator project should probably be kept up to date. That doesn't run on every build, but it is what creates https://github.com/OpenIntegrationEngine/engine/blob/main/server/lib/mirth-vocab.jar

I'd want to see the results of some people testing these changes and check if there are any documented compatibility issues with newer versions before we merge.

@NicoPiel
Bumps bundled dependency versions in manifests
aa637d2 
Updates several bundled library versions referenced in application manifests to newer releases

Signed-off-by: Nico Piel <nico.piel@hotmail.de>
@NicoPiel
Bumps commons in generator
d86b26b 
Bumps the Commons Lang library

Signed-off-by: Nico Piel <nico.piel@hotmail.de>
@NicoPiel
Copy link
Contributor Author

NicoPiel commented Dec 5, 2025
edited
Loading

There are references that need to be updated in /server/build.xml and /manager/ant-build.xml.

Done!

Also, the /generator project should probably be kept up to date.

Also Done!

mgaffigan
mgaffigan requested changes Dec 5, 2025
View reviewed changes
Copy link
Contributor

@mgaffigan mgaffigan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Old versions referenced in:

  • donkey/.classpath
  • donkey/lib/commons/commons-beanutils-1.9.4.jar
  • donkey/lib/commons/commons-lang3-3.13.0.jar
  • command/.classpath

command/lib/commons-beanutils-1.9.4.jar Outdated
Copy link
Contributor

@mgaffigan mgaffigan Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this removed without replacement?

Copy link
Contributor Author

@NicoPiel NicoPiel Dec 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because it was neither in the classpath, nor the build.xml.

Copy link
Contributor

@mgaffigan mgaffigan Dec 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's included in the build classpath on command/build.xml:5..7

Copy link
Contributor Author

@NicoPiel NicoPiel Dec 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah. I used the search tool to look for explicit mentions as is done in the other build files.
Added the new version.

@NicoPiel
Updates commons libraries to newer versions (donkey/cli)
0b39e6a 
Bumps several third-party Commons libraries to newer releases

Signed-off-by: Nico Piel <nico.piel@hotmail.de>
@NicoPiel
Re-added beanutils to CLI
b2d6f57 
Signed-off-by: Nico Piel <nico.piel@hotmail.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mgaffigan mgaffigan mgaffigan requested changes

@tonygermano tonygermano tonygermano requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[SECURITY] Vulnerability in Apache Commons Libraries

3 participants

@NicoPiel @mgaffigan @tonygermano