Upgrades commons libraries to fix security vulnerabilities #219
Conversation
Updates several Apache Commons dependencies across modules to newer patch releases to fix security vulnerabilities. Fixes OpenIntegrationEngine#218 Notably upgrades commons-lang3 (3.13.0 → 3.18.0), commons-beanutils (1.9.4 → 1.11.0) and commons-configuration2 (2.8.0 → 2.10.1), replacing old JARs with the updated artifacts. Signed-off-by: Nico Piel <nico.piel@hotmail.de>
tonygermano
left a comment
tonygermano
left a comment
There was a problem hiding this comment.
There are references that need to be updated in /server/build.xml and /manager/ant-build.xml. Some of these libraries get added to the manifests of the launcher jars. I'm less concerned about /manager since we don't ship that, and it's probably going to be rewritten at some point, but since you are already updating the jars, you should probably update the build file to match.
Also, the /generator project should probably be kept up to date. That doesn't run on every build, but it is what creates https://github.com/OpenIntegrationEngine/engine/blob/main/server/lib/mirth-vocab.jar
I'd want to see the results of some people testing these changes and check if there are any documented compatibility issues with newer versions before we merge.
Updates several bundled library versions referenced in application manifests to newer releases Signed-off-by: Nico Piel <nico.piel@hotmail.de>
Bumps the Commons Lang library Signed-off-by: Nico Piel <nico.piel@hotmail.de>
Done!
Also Done! |
mgaffigan
left a comment
mgaffigan
left a comment
There was a problem hiding this comment.
Old versions referenced in:
- donkey/.classpath
- donkey/lib/commons/commons-beanutils-1.9.4.jar
- donkey/lib/commons/commons-lang3-3.13.0.jar
- command/.classpath
Bumps several third-party Commons libraries to newer releases Signed-off-by: Nico Piel <nico.piel@hotmail.de>
Signed-off-by: Nico Piel <nico.piel@hotmail.de>
|
Are there libraries we ship that are depending on the three that are updated in this PR? Can we get those up to date at the same time? Approving regardless, since I don't see a downside to shipping as is. |
tonygermano
requested review from
a team,
jonbartels,
kayyagari,
ssrowe and
tonygermano
and removed request for
a team
There was a problem hiding this comment.
Pull request overview
This PR addresses security vulnerabilities by upgrading three Apache Commons libraries across all modules in the Mirth Connect project. The upgrades bring the project up to date with security patches while maintaining consistent versions across the entire multi-module codebase.
Key changes:
- Upgraded commons-lang3 from 3.13.0 to 3.18.0
- Upgraded commons-beanutils from 1.9.4 to 1.11.0
- Upgraded commons-configuration2 from 2.8.0 to 2.10.1
Reviewed changes
Copilot reviewed 8 out of 38 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| server/build.xml | Updated Class-Path manifest attribute with new library versions |
| server/.classpath | Updated Eclipse classpath entries for upgraded commons libraries |
| manager/ant-build.xml | Updated Class-Path manifest attribute with new library versions |
| manager/.classpath | Updated Eclipse classpath entries for upgraded commons libraries |
| generator/.classpath | Updated commons-lang3 classpath entry |
| donkey/.classpath | Updated commons-lang3 and commons-beanutils classpath entries |
| command/.classpath | Updated commons-lang3 and commons-configuration2 classpath entries |
| client/.classpath | Updated all three commons libraries classpath entries |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Here's the changelog for commons-lang3 https://commons.apache.org/proper/commons-lang/changes.html
Is there a reason you stopped at 3.18.0 rather than going all the way to 3.20.0?
There was a problem hiding this comment.
Sorry, I missed that it was linked to an issue that recommended specific versions.
There was a problem hiding this comment.
Here is the changelog for commons-beanutils https://commons.apache.org/proper/commons-beanutils/changes.html
I don't see anything concerning there.
In the pom it has dependencies on
- commons-logging 1.3.5 (we are currently on 1.2)
- commons-collections 3.2.2 (we are good on this one.)
This is the changelog for commons-logging https://commons.apache.org/proper/commons-logging/changes.html
commons-logging has a dependency on log4j 2.24.3 (we are on 2.17.2)
There was a problem hiding this comment.
Here is the changelog for commons-configuration https://commons.apache.org/proper/commons-configuration/changes.html
This PR only bumps to 2.10.1, but 2.13.0 is available.
In the pom it has dependencies on
- commons-logging 1.3.0
- we are currently on 1.2
- This is lower than the 1.3.5 required by beanutils
- commons-configuration2-2.13.0 requires 1.3.5
- commons-text 1.11.0
- we are currently on 1.10.0
- 1.15.0 is available
- commons-configuration2-2.13.0 requires 1.14.0
- commons-lang3 3.14.0
- this PR already upgrades to 3.18.0
- 3.20.0 is available
- commons-configuration2-2.13.0 requires 3.20.0
- log4j 2.23.1
- we are on 2.17.2
- the commons-logging version required by beanutils requires 2.24.3
- 2.25.2 is available
- commons-configuration2-2.13.0 requires 2.25.2
These are optional dependencies that we have in our classpath, but I don't know that we're actually using them with commons-configuration
- jackson-databind 2.17.0
- we are on jackson 2.14.3
- the 2.x releases go up to 2.20.1
- commons-configuration2-2.13.0 requires 2.20.1
- commons-codec 1.16.1
- we are on 1.16.0
- 1.20.0 is available
- commons-configuration2-2.13.0 requires1.20.0
4 participants
Updates several Apache Commons dependencies across modules to newer patch releases to fix security vulnerabilities.
Fixes #218
Notably upgrades
commons-lang3 (3.13.0 → 3.18.0),
commons-beanutils (1.9.4 → 1.11.0) and
commons-configuration2 (2.8.0 → 2.10.1), replacing old JARs with the updated artifacts.