Security: upgraded vulnerable hl7 transitive dependencies to 6.4.0

[LiamStanziani]

In this PR, I have:

• Upgraded vulnerable hl7 transitive dependencies to 6.4.0

I have tested this by:

• Interacting and using related hl7 functionalities (Preventions, Immunizations, Labs)

Summary by Sourcery

Pin vulnerable org.hl7.fhir.core transitive dependencies to secure versions to address an XXE vulnerability in XSLT parsing.

Bug Fixes:

• Address XXE vulnerability in XSLT parsing by forcing secure versions of org.hl7.fhir.core transitive libraries.

Build:

• Update Maven pom to explicitly depend on org.hl7.fhir.utilities and org.hl7.fhir.dstu3 version 6.4.0 and refresh dependency lock files to match.

---

Summary by cubic

Upgraded HL7 FHIR transitive dependencies to 6.4.0 to fix an XXE vulnerability in XSLT parsing. Forces secure versions to ensure safe builds.

• Dependencies
  • Added direct deps for ca.uhn.hapi.fhir:org.hl7.fhir.utilities and ca.uhn.hapi.fhir:org.hl7.fhir.dstu3 at 6.4.0 to override vulnerable transitive versions.
  • Updated dependency lock files to match.

^{Written for commit 87110ba. Summary will update on new commits.}

Summary by Sourcery

Update HL7 FHIR dependencies to secure versions to address a known XXE vulnerability.

Bug Fixes:

• Mitigate XXE vulnerability in XSLT parsing by pinning vulnerable org.hl7.fhir.core transitive dependencies to a fixed version.

Build:

• Add explicit Maven dependencies on ca.uhn.hapi.fhir org.hl7.fhir.utilities and org.hl7.fhir.dstu3 at version 6.4.0 and refresh dependency lock files to align with the new versions.

Summary by CodeRabbit

• Chores
  • Updated HL7 FHIR library dependencies to version 6.4.0.
  • Updated dependency verification hashes to reflect the new library versions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Pins vulnerable org.hl7.fhir.core transitive dependencies to explicit, secure 6.4.0 versions in the Maven build and refreshes dependency lock files accordingly to address an XXE vulnerability in XSLT parsing.

File-Level Changes

Change	Details	Files
Add explicit secure HL7 FHIR dependencies to override vulnerable transitive versions.	Declare direct Maven dependency on ca.uhn.hapi.fhir:org.hl7.fhir.utilities at version 6.4.0. Declare direct Maven dependency on ca.uhn.hapi.fhir:org.hl7.fhir.dstu3 at version 6.4.0. Document in comments that these dependencies mitigate an XXE vulnerability in XSLT parsing from transitive org.hl7.fhir.core libraries.	pom.xml
Align dependency lock files with the new HL7 FHIR dependency versions.	Update modern dependency lock file entries to reflect the added HL7 FHIR 6.4.0 dependencies. Update the legacy dependency lock file entries to reflect the added HL7 FHIR 6.4.0 dependencies.	dependencies-lock-modern.json dependencies-lock.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

📝 Walkthrough

Walkthrough

Three files updated to bump HL7 FHIR library versions from 5.6.881 to 6.4.0, addressing security vulnerabilities. Changes include updated integrity hashes in two lockfiles and new dependency management declarations in Maven configuration.

Changes

Cohort / File(s)	Summary
Dependency Lockfile Updates dependencies-lock-modern.json, dependencies-lock.json	Version bumps for org.hl7.fhir.dstu3 and org.hl7.fhir.utilities from 5.6.881 → 6.4.0 with corresponding SHA-512 integrity hash replacements
Maven POM Configuration pom.xml	Added two new <dependency> entries under <dependencyManagement> for org.hl7.fhir.utilities:6.4.0 and org.hl7.fhir.dstu3:6.4.0 to enforce secure versions and address XXE/CVE concerns

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• yingbull

Poem

🐰 With whiskers twitching, we hop with cheer,
HL7 libraries updated, security drawing near!
From 5.6 to 6.4 we bound with grace,
CVE vulnerabilities erased from this place! 🔐✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the main change: upgrading vulnerable HL7 FHIR transitive dependencies to version 6.4.0 for security purposes, which is the core purpose of this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 87110ba.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package	Version	Score	Details
maven/ca.uhn.hapi.fhir:org.hl7.fhir.dstu3	6.4.0	🟢 4.8	Details Check Score Reason Code-Review 🟢 9 Found 27/30 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed Binary-Artifacts 🟢 10 no binaries found in the repo SAST 🟢 9 SAST tool detected but not run on all commits Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 18 existing vulnerabilities detected
maven/ca.uhn.hapi.fhir:org.hl7.fhir.utilities	6.4.0	🟢 4.8	Details Check Score Reason Code-Review 🟢 9 Found 27/30 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed Binary-Artifacts 🟢 10 no binaries found in the repo SAST 🟢 9 SAST tool detected but not run on all commits Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 18 existing vulnerabilities detected

Scanned Files

• pom.xml

[cubic-dev-ai]

No issues found across 3 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

[sourcery-ai]

Hey - I've left some high level feedback:

• Consider extracting the 6.4.0 HL7/FHIR version into a Maven property (e.g. hl7.fhir.version) so that future upgrades only require changing it in one place.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider extracting the `6.4.0` HL7/FHIR version into a Maven property (e.g. `hl7.fhir.version`) so that future upgrades only require changing it in one place.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sebastian-j-ibanez]

@LiamStanziani when you get a chance, would you be able to either:

• fix these merge conflicts
• make a new branch based off maintenance, and update hl7 there

Thanks! 🧉