Skip to content

[WIP] OpenO EMR Staging 02/17/2026: Security, Dependencies & Documentation#201

Draft
LiamStanziani wants to merge 596 commits intoopen-osp:mainfrom
openo-beta:develop-staging/02172026
Draft

[WIP] OpenO EMR Staging 02/17/2026: Security, Dependencies & Documentation#201
LiamStanziani wants to merge 596 commits intoopen-osp:mainfrom
openo-beta:develop-staging/02172026

Conversation

@LiamStanziani
Copy link
Contributor

@LiamStanziani LiamStanziani commented Feb 18, 2026
edited
Loading

NOTE: THIS PR IS A WORK IN PROGRESS, PLEASE HOLD OFF ON REVIEWING FOR NOW

Summary

This staging branch (develop-staging/02172026) is cut from develop and contains all changes merged since the base staging branch PR #188 (staging/01232026) was created. It includes 219 PRs with 318 non-merge commits across 522 files changed (+63,210 / -22,650 lines).

Note: This branch builds on top of PR #188 (OpenO EMR 2026.1.0-RC1). The hotfix packages PR #199 and PR #200 were created separately against open-osp/Open-O:main — specific changes were cherry-picked into those hotfix branches independently and are not included in this staging branch. Those fixes will need to be reconciled separately.

GitHub Commit Count: GitHub displays 596 commits on this PR because PR #188 has not yet been merged to open-osp:main. Once PR #188 is merged, the commit count will drop to reflect only the 547 new commits (229 merge + 318 non-merge) documented below.

Security Fixes & Vulnerability Patches (6 PRs)

1. PR #1836 — Imported provider display fix with OWASP hardening (3 commits)

  • Fixed provider records not displaying correctly after import
  • Added OWASP encoding on all HTML attribute user inputs
  • Fixed NullPointerExceptions on provider search and update JSP pages
  • Created separate HTML render path when provider is null to avoid broken layouts

Related Issue: #1663

2. PR #1843 — Upgrade netty vulnerable transitive dependencies (3 commits)

  • Upgraded all Netty transitive dependencies to consistent version using netty-bom
  • Moved Netty version to properties variable for centralized management
  • Updated lock file

Related Issue: #1846

3. PR #1844 — Exclude Apache CXF vulnerable transitive dependencies (2 commits)

  • Excluded unused rhino transitive dependency from Apache CXF (security vulnerability)
  • Updated mime4j-core for security vulnerability
  • Excluded unused transports-jms transitive dependency with security vulnerability

Related Issue: #1847

4. PR #2240 — XML file upload security + dom4j → JDOM2 migration (3 commits)

  • Added critical security validations for XML file upload in ManageDashboard2Action
  • Migrated XML processing from dom4j to JDOM2

Related Issue: #2138

5. PR #2241 — Migrate Apache Commons BeanUtils to Spring BeanUtils — Phase 1 (3 commits)

  • Security migration from Apache Commons BeanUtils (CVE exposure) to Spring BeanUtils
  • Migrated BeanComparator to Java Comparator.comparing()
  • Restored backward compatibility in BeanUtilHlp null handling

Related Issue: #2202

6. PR #2199 — Replace jasypt 1.9.3 with Spring Security Crypto (5 commits)

  • Replaced jasypt encryption library with Spring Security Crypto
  • Added migration documentation (docs/migration/jasypt-to-spring-crypto.md)
  • Addressed code review feedback

Related Issue: #2158

Pre-Jakarta Migration: Dependency Modernization (34 PRs)

This work is part of Epic #1110: Jakarta EE Migration Preparation. The strategy upgrades all dependencies to their last javax-compatible versions before the eventual javax.*jakarta.* namespace switch. Tracking issues: Phase 1 (#2249), Phase 1A (#2253), Phase 1B (#2254).

Note: Phase 1A (PR #2255) — 19 additional drop-in dependency updates + 6 Maven plugin upgrades — has been submitted but is not yet merged to develop and is therefore not included in this staging branch.

Pre-Jakarta Version Upgrades (last javax-compatible versions)

7. PR #2172 — commons-dbcp 1.4 → commons-dbcp2 2.14.0 (3 commits)

  • Major migration from legacy commons-dbcp to commons-dbcp2
  • Renamed maxWait to maxWaitMillis, replaced deprecated removeAbandoned properties

Related Issue: #1157

8. PR #2097 — HAPI FHIR 6.4.0 → 6.10.5 (3 commits)

  • Upgraded HAPI FHIR healthcare interoperability library
  • Updated dependency lock files

Related Issue: #1150

9. PR #2134 — Apache CXF 3.5.11 → 3.6.9 (2 commits)

  • Last javax-compatible version before CXF 4.x (Jakarta)
  • Upgraded web services framework for healthcare integrations

Related Issue: #1149

10. PR #2115 — JasperReports 6.20.1 → 6.21.7 (3 commits)

  • Last javax-compatible version before JasperReports 7.x (Jakarta)

Related Issue: #1151

11. PR #2116 — Apache POI 5.0.0 → 5.5.1 (1 commit)

  • Upgraded Apache POI spreadsheet/document library to latest 5.x release

Related Issue: #1159

12. PR #2124 — Apache OpenJPA 3.0.0 → 3.2.2 (1 commit)

  • Upgraded OpenJPA persistence library to latest 3.x release

Related Issue: #1165

13. PR #2117 — Jersey Client 2.46 → 2.47 (1 commit)

  • Last javax-compatible version before Jersey 3.x (Jakarta)

Related Issue: #1154

14. PR #2120 — Jackson modules → 2.19.2 (2 commits)

  • Upgraded Jackson JAX-RS JSON Provider and aligned all Jackson modules to 2.19.2
  • Added jackson-module-jaxb-annotations

Related Issue: #589

15. PR #2113 — Flying Saucer PDF 9.4.1 → 9.13.3 (1 commit)

  • Upgraded Flying Saucer XHTML/CSS renderer used for PDF generation

Related Issue: #588

16. PR #2096 — taglibs:standard 1.1.2 → javax.servlet.jsp.jstl 1.2.5 (3 commits)

  • Replaced legacy taglibs:standard with official javax.servlet.jsp.jstl implementation

Related Issue: #1160

17. PR #2239 — cglib 2.2.2 → 3.3.0 (1 commit)

  • Resolved ASM version conflicts

Related Issue: #2221

18. PR #2242 — displaytag 1.2 → hazendaz 2.9.0 (2 commits)

  • Replaced 17-year-old dead project with maintained fork

Related Issue: #2152

19. PR #2178 — 5 patch-level dependency updates (1 commit)

  • Updated httpmime 4.5.14, itextpdf 5.5.13.5, xmlworker 5.5.13.5, jsch 0.1.55, jfreechart 1.5.6

Related Issue: #2135

Library Migrations (unmaintained → maintained)

20. PR #2197 — ManageDocument2Action: jpedal → Apache PDFBox (3 commits)

  • Migrated PDF handling in document management from jpedal to PDFBox
  • Added page number validation and correct default page numbers

Related Issue: #2184

21. PR #2200 — NioFileManagerImpl: jpedal → Apache PDFBox (2 commits)

  • Migrated file manager PDF handling, added comprehensive error handling to PDF page rendering

Related Issue: #2183

22. PR #2238 — Doc2PDF: jtidy → Jsoup (3 commits)

  • Migrated HTML-to-PDF conversion from jtidy to Jsoup

Related Issue: #2154

23. PR #2185 — JSch → maintained fork (mwiede) (1 commit)

  • Migrated from abandoned JSch to actively maintained mwiede/jsch fork

Related Issue: #2159

24. PR #2190 — commonmark Atlassian → org.commonmark 0.23.0 (1 commit)

  • Migrated Markdown parser from Atlassian fork to upstream org.commonmark

Related Issue: #2157

25. PR #2191 — zxing 1.5 → com.google.zxing 3.5.3 (1 commit)

  • Migrated barcode library from legacy zxing to official Google ZXing

Related Issue: #2149

26. PR #2192 — commons-digester 1.8 → commons-digester3 3.2 (5 commits)

  • Excluded beanutils transitive dependency

Related Issue: #2145

27. PR #2189 — commons-exec 1.3 → 1.4.0 (1 commit)

  • Updated Apache Commons Exec process execution library

Related Issue: #2156

28. PR #2207 — janino 2.3.2 → org.codehaus.janino 3.1.12 (1 commit)

  • Migrated embedded Java compiler to actively maintained org.codehaus.janino

Related Issue: #2151

29. PR #2208 — Replace Xerces DOMParser with standard Java DocumentBuilderFactory (2 commits)

  • Removed external Xerces dependency by using JDK-built-in XML parsing in JDBCUtil

Related Issue: #2150

Dead Code & Unused Dependency Removal

30. PR #2204 — Remove dead ClinicalConnect/MedSeek integration (4 commits)

  • Removed CC_EHR_LOADED conditional and unreachable code
  • Fixed empty EHR widget after removal

Related Issue: #2167

31. PR #2114 — Remove dead Quartz dependency (1 commit)

  • Removed unused Quartz scheduler dependency from pom.xml

Related Issue: #1156

32. PR #2123 — Remove unused javax.xml:jaxm-api (1 commit)

  • Jakarta-prep: removes unused javax dependency to reduce migration surface

Related Issue: #1161

33. PR #2186 — Remove unused patientSiteVisit SNAPSHOT dependency (1 commit)

  • Removed unreferenced SNAPSHOT dependency that could cause build instability

Related Issue: #2168

34. PR #2193 — Remove unused tagsoup and jersey-client dependencies (1 commit)

  • Removed tagsoup HTML parser and jersey-client REST dependencies no longer referenced in codebase

35. PR #2206 — Remove duplicate velocity:1.7 dependency (1 commit)

  • Removed duplicate Velocity template engine entry from pom.xml

Related Issue: #2162

36. PR #2205 — Remove jpedal from pom.xml and local_repo (1 commit)

  • Cleaned up jpedal dependency and local repository files after migration to PDFBox

Related Issue: #2203

37. PR #1990 — Remove old libraries from localrepo, migrate jCharts (2 commits)

  • Removed unused libraries from local Maven repository
  • Migrated jCharts to matching version available on Maven Central

38. PR #2141 — Library cleanup: remove Jetty deps, final post-upgrade cleanup (3 commits)

  • Removed Jetty dependencies (OpenO uses Tomcat, not Jetty)
  • Final cleanup of dependencies and resolved javadoc errors after library updates

39. PR #2201 — Fix JAXB runtime dependency for Java 21 (4 commits)

  • Coordinated JAXB dependencies to 2.3.9 for Java 21 compatibility

Related Issue: #2164

40. PR #2246 — Update lock file for dependency changes (1 commit)

  • Regenerated Maven dependency lock file to reflect all dependency updates in this staging cycle

Bug Fixes (2 PRs)

41. PR #1903 — Fix show() call to null value causing console error (1 commit)

  • Removed show() call to a value that is never set

42. PR #2214 — VT cleanup: dependency fixes, PHI removal from logs (7 commits)

  • Resolved JSch dependency conflict, upgraded xercesImpl
  • Removed PHI from log statements
  • Sanitized formName in logs, removed unused code
  • Fixed DashboardManagerEncryptionUnitTest to extend OpenOUnitTestBase
  • Re-added missing required deps (older janino for Drools support)

Related Issue: #2213

CI/CD & Automation (7 PRs)

43. PR #2251 — SonarCloud integration (8 commits)

  • Set up SonarCloud code quality scanning
  • Added PR decorators for inline code review feedback
  • Configured for existing build containers

44. PR #1988 — Workflow updates for staging, hotfix, and community branches (4 commits)

  • Updated dependency-review, dependency-submission, and maven-project workflows
  • Cleaned up non-working workflows

45. PR #2143 + PR #2179 — Issue triage workflow improvements (5 commits)

  • Auto-set type/project/status for new issue tickets
  • Added duplicate detection and conditional field updates

46–48. PRs #1916, #1918, #1920 — Claude workflow permissions (3 commits)

  • Added GITHUB_TOKEN sandboxed permissions for gh CLI in Claude workflow

Test Improvements (4 PRs)

49. PR #1849 — Selenium upgrade + test refactoring (8 commits)

  • Upgraded Selenium to latest version, removed unused WebDriverManager
  • Migrated tests to headless Chrome (no hardcoded browser path)
  • Refactored all Selenium tests to use a base class / helper methods
  • Added env var overrides for test credentials
  • Removed Thread.sleep() calls in favor of explicit waits
  • Removed logging of successful login URL

Related Issue: #1848

50. PR #2058 — Demographic Manager unit tests (2 commits)

  • Added comprehensive DemographicManager unit tests to modern test framework

Related Issue: #1991

51. PR #1840 + PR #1841 — Claude hooks enhancements (13 commits)

  • Improved OWASP encoding validator: reduced false positives, simplified PrintWriter pattern detection
  • Fixed BDD test naming examples to conform to Java best practices

JavaDoc Documentation (166 PRs)

Comprehensive JavaDoc was added across 166 classes spanning the following areas. Each PR corresponds to a single class documentation issue.

All 166 JavaDoc PR numbers

#1609, #1906, #1907, #1908, #1909, #1910, #1913, #1915, #1917, #1919,
#1921, #1922, #1923, #1925, #1926, #1927, #1928, #1929, #1930, #1931,
#1932, #1933, #1934, #1935, #1936, #1937, #1938, #1939, #1940, #1941,
#1942, #1943, #1944, #1945, #1946, #1947, #1948, #1949, #1950, #1951,
#1952, #1953, #1954, #1955, #1956, #1957, #1958, #1959, #1960, #1961,
#1962, #1963, #1964, #1965, #1966, #1967, #1968, #1969, #1970, #1971,
#1972, #1973, #1974, #1975, #1976, #1978, #1979, #1980, #1981, #1982,
#1983, #1984, #1985, #1986, #1992, #1993, #1994, #1995, #1996, #1997,
#1998, #1999, #2000, #2001, #2002, #2003, #2004, #2005, #2006, #2007,
#2008, #2009, #2010, #2011, #2012, #2013, #2014, #2015, #2016, #2017,
#2018, #2019, #2020, #2021, #2022, #2023, #2024, #2025, #2026, #2027,
#2028, #2029, #2030, #2031, #2032, #2033, #2034, #2035, #2036, #2037,
#2038, #2039, #2040, #2041, #2042, #2043, #2044, #2045, #2046, #2047,
#2048, #2049, #2050, #2051, #2052, #2053, #2054, #2055, #2056, #2057,
#2068, #2069, #2070, #2071, #2072, #2073, #2074, #2075, #2076, #2077,
#2078, #2079, #2080, #2081, #2082, #2083, #2084, #2085, #2086, #2087,
#2088, #2089, #2090, #2091, #2092, #2111

Managers & Services (~15 PRs)

DemographicManager, DemographicManagerImpl, EmailManager, EmailComposeManager, NoteManager, ProfessionalSpecialistsManager, ProgramProviderService, DemographicWs, DocumentAttachmentManager, DocumentAttachmentManagerImpl

Web Actions (~15 PRs)

ERefer2Action, ManageInboxhub2Action, ManageEmails2Action, EmailCompose2Action, EmailSend2Action, EformLogError2Action, ProfessionalSpecialist2Action, DocumentPreview2Action, PrintDemoLabel2Action, PrintDemoChartLabel2Action, PrintDemoAddressLabel2Action, MoveMOHFiles2Action

BCAR / Antenatal Record Types (~55 PRs)

AR1, AR1Impl, AR2, AR2Impl, ARRecordImpl, ARRecordDocumentImpl, ARRecordSetImpl, ARRecordSetDocumentImpl, PatientInformation, PatientInformationImpl, PartnerInformation, PartnerInformationImpl, PregnancyHistory, PregnancyHistoryImpl, ObstetricalHistoryImpl, ObstetricalHistoryItemList, ObstetricalHistoryItemListImpl, CurrentPregnancyType, CurrentPregnancyTypeImpl, MedicalHistoryType, MedicalHistoryTypeImpl, MedicalHistoryAndPhysicalExam, MedicalHistoryAndPhysicalExamImpl, PhysicalExaminationType, PhysicalExaminationTypeImpl, InitialLaboratoryInvestigations, InitialLaboratoryInvestigationsImpl, AdditionalLabInvestigationsType, AdditionalLabInvestigationsTypeImpl, UltrasoundType, UltrasoundTypeImpl, DiscussionTopicsType, DiscussionTopicsTypeImpl, SubsequentVisitItemType, SubsequentVisitItemTypeImpl, PsychosocialType, PsychosocialTypeImpl, PrenatalGeneticScreeningType, PrenatalGeneticScreeningTypeImpl, RecommendedImmunoprophylaxisType, RecommendedImmunoprophylaxisTypeImpl, SignatureType, SignatureTypeImpl, NewbornCareImpl, RiskFactorItemTypeImpl, PractitionerInformationImpl, InfectiousDiseaseTypeImpl, CustomLabImpl, FamilyHistoryTypeImpl, EthnicValueType, EthnicValueTypeImpl, NormalAbnormalNullTypeImpl, DatingMethodsImpl, BirthAttendantsImpl, GenericHistoryTypeImpl, YesNoNullTypeImpl, ObjectFactory

Cached/Integrator Models (~35 PRs)

CachedDemographic, CachedDemographicAllergy, CachedDemographicConsent, CachedDemographicDocument, CachedDemographicDocumentContents, CachedDemographicDrug, CachedDemographicForm, CachedDemographicHL7LabResult, CachedDemographicImage, CachedDemographicIssue, CachedDemographicLabResult, CachedDemographicNote, CachedDemographicNoteCompositePk, CachedDemographicPrevention, CachedAppointment, CachedBillingOnItem, CachedDxresearch, CachedEformData, CachedEformValue, CachedFacility, CachedMeasurement, CachedMeasurementExt, CachedMeasurementMap, CachedMeasurementType, CachedProgram, CachedProvider, CachedAdmission

Core Entities & DAOs (~15 PRs)

Facility, EventLog, ImportLog, NoteIssue, IssueGroup, Referral, ProviderCommunication, SiteUser, DemographicPushDate, DemographicLink, DemographicTransfer, SystemProperties, AbstractModel, FacilityIdStringCompositePk, FacilityIdIntegerCompositePk, FacilityIdLabResultCompositePk, FacilityIdDemographicIssueCompositePk

Email & Communication (~10 PRs)

EmailLog, EmailLogDao, EmailLogDaoImpl, EmailConfigDao, EmailConfigDaoImpl, EmailStatusResult, EmailNoteUtil, EmailSender, APISendGridEmailSender, SMTPEmailSender

Web Services (~8 PRs)

DemographicWsService, ProviderWsService, ProgramWsService, FacilityWsService, HnrWsService, ReferralWsService, LabDataController, PrivateBillingController

Healthcare Integration (~10 PRs)

EDTService, EDTDelegateImpl, HCValidationService, HCValidationImpl, EReferAttachmentDao, EReferAttachmentDaoImpl, FlowsheetDocument, FlowsheetDocumentImpl, GenericOAuth10aApi, HL7CreateFile, CaseManagementPrint, HomelessPopulationReport

Security & Utility (~5 PRs)

PasswordHash, S21, S22, S23, PrivateBillingDAO, PrivateBillingModel

Summary Statistics:

  • Total PRs merged: 219
  • Total non-merge commits: 318
  • Files changed: 522
  • Lines added: 63,210
  • Lines removed: 22,650
  • Breakdown:
    • Security fixes & vulnerability patches: 6 PRs
    • Pre-Jakarta dependency modernization: 34 PRs (part of Epic #1110)
    • Bug fixes: 2 PRs
    • CI/CD & automation: 7 PRs
    • Test improvements: 4 PRs
    • JavaDoc documentation: 166 PRs
  • Pending (not in this staging): Phase 1A (PR #2255) — 19 drop-in dependency updates + 6 plugin upgrades

Test Plan

Build Verification

  • JSP compilation: make install --jspc (compile all JSPs, no tests)
    • Maven: mvn clean -DskipModernTests=true -DskipLegacyTests=true -T 1C package war:exploded -Pjspc
  • Build passes: make install --run-tests (all modern + legacy tests)
    • Maven (modern): mvn clean -DskipModernTests=true -DskipLegacyTests=true -T 1C package war:exploded -Pmodern-tests -Ddependency.lock.filename=dependencies-lock-modern.json && mvn test -Pmodern-tests -DskipLegacyTests=true -Ddependency.lock.filename=dependencies-lock-modern.json
    • Maven (legacy): mvn clean -DskipModernTests=true -DskipLegacyTests=true -T 1C package war:exploded && mvn test -DskipModernTests=true
  • Dependency resolution: Maven build completes without missing/conflicting dependencies (34 dependency PRs)

Heavy Testing (highest risk of behavioral changes)

  • #1149 — Apache CXF 3.5.11 → 3.6.9: Web services, SOAP endpoints, CXF-based integrations
  • #2138 — Library cleanup & dependency consolidation: Verify no runtime ClassNotFoundException after removing 8-10 unused JARs
  • #2152 — displaytag 1.2 → hazendaz 2.9.0: All 28 JSPs using <display:table> tags render correctly
  • #2202 — Commons BeanUtils → Spring BeanUtils: Sort/compare operations, table sorting, bean property copying
  • #2213 — Vascular Tracker OSDSF removal: VT form loads and saves without compile errors or missing references

Smoke Testing (drop-in upgrades, verify basic functionality)

  • #589 — Jackson modules → 2.19.2: JSON serialization/deserialization across REST APIs
  • #588 — Flying Saucer PDF 9.4.1 → 9.13.3: PDF generation and rendering
  • #1150 — HAPI FHIR 6.4.0 → 6.10.5: Basic FHIR operations
  • #1151 — JasperReports 6.20.1 → 6.21.7: Report generation
  • #1154 — Jersey Client 2.46 → 2.47: REST client operations
  • #1156 — Quartz dependency removal: Scheduled jobs still function
  • #1157 — commons-dbcp → commons-dbcp2: Database connections, pool behavior
  • #1159 — Apache POI 5.0.0 → 5.5.1: Spreadsheet/document operations
  • #1160 — taglibs:standard → javax.servlet.jsp.jstl 1.2.5: JSP pages render correctly
  • #1161 — Remove unused javax.xml:jaxm-api: No runtime SOAP/XML breakage
  • #1165 — Apache OpenJPA 3.0.0 → 3.2.2: Persistence operations
  • #1991 — DemographicManager unit tests: Verify test suite passes
  • #2135 — 5 patch-level dependency updates: General stability
  • #2154 — jtidy → Jsoup: HTML-to-PDF conversion
  • #2221 — cglib 2.2.2 → 3.3.0: No ASM conflicts, Spring proxying works

Breaking Changes

To be confirmed after testing. The following areas have the highest risk of behavioral changes and require heavier testing:

  • #1149 — Apache CXF 3.5.11 → 3.6.9 (web services framework upgrade)
  • #2138 — Library cleanup & dependency consolidation (8-10 JARs removed)
  • #2152 — displaytag 1.2 → hazendaz 2.9.0 (28 JSPs affected)
  • #2202 — Commons BeanUtils → Spring BeanUtils (bean comparison/sorting)
  • #2213 — Vascular Tracker OSDSF integration removal

yingbull and others added 30 commits January 24, 2026 22:05
@yingbull
Merge pull request #1946 from openo-beta/claude/issue-1511-20260124-0753
beb1a2b
@yingbull @cubic-dev-ai
Update S21.java
757e6b3 
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
@yingbull
Merge pull request #2010 from openo-beta/claude/issue-1429-20260124-2357
6f5ec27
@yingbull
Merge pull request #2007 from openo-beta/claude/issue-1437-20260124-2357
7e4052b
@yingbull
Merge pull request #2009 from openo-beta/claude/issue-1433-20260124-2357
5155be0
@yingbull
Merge pull request #2002 from openo-beta/claude/issue-1430-20260124-2357
7ffa0f1
@yingbull
Merge pull request #2000 from openo-beta/claude/issue-1431-20260124-2357
a92603d
@yingbull
Merge pull request #1997 from openo-beta/claude/issue-1423-20260124-2356
e13ef04
@yingbull
Merge pull request #1995 from openo-beta/claude/issue-1424-20260124-2356
5780154
@yingbull
Merge pull request #1952 from openo-beta/claude/issue-1517-20260124-0823
c3c104c
@yingbull
Merge pull request #2054 from openo-beta/claude/issue-1483-20260125-0056
aaf6314
@github-actions @yingbull
fix: correct invalid HTML in ObstetricalHistoryImpl JavaDoc
9be31ff 
Close paragraph tag before unordered list and remove trailing
paragraph close tag to fix invalid HTML structure. This ensures
proper JavaDoc rendering.

Co-authored-by: Michael Yingbull <yingbull@users.noreply.github.com>
@yingbull
Merge pull request #2046 from openo-beta/claude/issue-1476-20260125-0049
6b75dee
@github-actions @yingbull
docs: Fix SHA-1 documentation accuracy in SiteUser class
b3e62c7 
- Remove incorrect 'encryption' term (SHA-1 is hashing, not encryption)
- Remove misleading 'for security' phrase (SHA-1 is cryptographically weak)
- Add 'legacy' qualifier to indicate this is not current best practice
- Maintain accurate technical description without overstating security

Co-authored-by: Michael Yingbull <yingbull@users.noreply.github.com>
@github-actions @yingbull
docs: fix JavaDoc for getPasswordAsBase64() to accurately document Nu…
bc42b3c 
…llPointerException

The previous JavaDoc incorrectly stated the method returns null when password
is not set. In reality, DatatypeConverter.printBase64Binary() throws
NullPointerException on null input. Updated documentation to reflect actual
behavior.

Co-authored-by: Michael Yingbull <yingbull@users.noreply.github.com>
@yingbull
Merge pull request #2055 from openo-beta/claude/issue-1485-20260125-0057
d3f316d
@yingbull
Merge pull request #2048 from openo-beta/claude/issue-1479-20260125-0050
6d0f20f
@yingbull
Merge pull request #2047 from openo-beta/claude/issue-1475-20260125-0048
2a72b86
@yingbull
Merge pull request #2043 from openo-beta/claude/issue-1473-20260125-0047
9bc6b35
@yingbull
Merge pull request #2042 from openo-beta/claude/issue-1471-20260125-0045
e91d039
@yingbull
Merge pull request #2040 from openo-beta/claude/issue-1469-20260125-0044
8fcad1e
@yingbull
Merge pull request #2039 from openo-beta/claude/issue-1467-20260125-0042
f97f044
@yingbull
Merge pull request #2034 from openo-beta/claude/issue-1463-20260125-0036
2502318
@yingbull
Merge pull request #2037 from openo-beta/claude/issue-1466-20260125-0040
16e0b5a
@yingbull
Merge pull request #2031 from openo-beta/claude/issue-1461-20260125-0034
d6d9fef
@yingbull
Merge pull request #2029 from openo-beta/claude/issue-1458-20260125-0029
5f3a089
@yingbull
Merge pull request #2024 from openo-beta/claude/issue-1454-20260125-0026
0de0a19
@yingbull
Merge pull request #2012 from openo-beta/claude/issue-1440-20260124-2357
c2f6ed3
@yingbull
Merge pull request #2011 from openo-beta/claude/issue-1442-20260125-0003
3fbec72
@yingbull
Merge pull request #2004 from openo-beta/claude/issue-1434-20260124-2357
aef55c4
github-actions bot and others added 28 commits January 29, 2026 23:25
@github-actions @yingbull
fix: migrate Doc2PDF from jtidy to Jsoup
31c674c 
- Replace jtidy 1.0.5 (unmaintained since ~2010) with Jsoup 1.17.2
- Migrate parseJSP2PDF(), parseString2PDF(), and parseString2Bin() methods
- Configure Jsoup with XML syntax and XHTML entities for iText compatibility
- Set prettyPrint(false) to prevent whitespace issues in iText XML parser
- Fix character encoding by using UTF-8 explicitly (was platform-dependent)
- Remove jtidy dependency from pom.xml
- Add comprehensive integration tests with medical terminology and special characters

Benefits:
- Removes 15-year-old unmaintained library
- Fixes character encoding bug (critical for French Canadian patient names)
- Better HTML5 support with actively maintained library
- Improved security with modern, maintained dependency

Fixes #2154

Co-authored-by: Michael Yingbull <yingbull@users.noreply.github.com>
@github-actions @yingbull
chore: upgrade cglib from 2.2.2 to 3.3.0 to resolve ASM conflicts
e4cd4f3 
- Exclude cglib:cglib:2.2.2 from spring-aop dependency
- Add explicit cglib:cglib-nodep:3.3.0 dependency
- cglib-nodep bundles ASM internally, eliminating classpath conflicts
- Resolves collision between asm:asm:3.3.1 and org.ow2.asm:asm:9.9
- Compatible with Spring 5.3.39 and Hibernate 5.6.15.Final

Fixes #2221

Co-authored-by: Michael Yingbull <yingbull@users.noreply.github.com>
@github-actions @yingbull
chore: migrate from dom4j to JDOM2 for XML processing
b890a9c 
- Replace dom4j imports with JDOM2 equivalents in ManageDashboard2Action
- Migrate XML parsing from SAXReader to SAXBuilder
- Update validation logic to use standard javax.xml.validation API
- Remove dom4j dependency from pom.xml
- Maintain all XXE attack prevention security features

Closes #2138

Co-authored-by: Michael Yingbull <yingbull@users.noreply.github.com>
@github-actions @yingbull
security: migrate from Apache Commons BeanUtils to Spring BeanUtils (…
a2f2908 
…Phase 1)

- Migrated 9 files from org.apache.commons.beanutils.BeanUtils to org.springframework.beans.BeanUtils
- Reversed parameter order in copyProperties() calls (Spring uses source-first convention)
- Migrated BeanUtilHlp to use Spring BeanWrapper for property access
- Removed explicit commons-beanutils 1.11.0 dependency from pom.xml
- Simplified exception handling (generic Exception instead of specific reflection exceptions)

This migration eliminates the unmaintained commons-beanutils library and its
associated CVE exposure (CVE-2014-0114, CVE-2019-10086, CVE-2025-48734).
Spring BeanUtils is actively maintained and already included in our Spring
Framework 5.3.39 dependency.

Files modified:
- src/main/java/ca/openosp/openo/util/BeanUtilHlp.java
- src/main/java/ca/openosp/openo/prescript/web/CopyFavorites2Action.java
- src/main/java/ca/openosp/openo/integration/mchcv/HCValidationResult.java
- src/main/java/ca/openosp/openo/form/pharmaForms/formBPMH/business/BpmhForm2Handler.java
- src/main/java/ca/openosp/openo/dashboard/handler/TicklerHandler.java
- src/main/java/ca/openosp/openo/dashboard/factory/DashboardBeanFactory.java
- src/main/java/ca/openosp/openo/dashboard/factory/DrilldownBeanFactory.java
- src/main/java/ca/openosp/openo/commn/model/Demographic.java
- src/main/java/ca/openosp/openo/PMmodule/web/ClientManager2Action.java
- pom.xml

Fixes #2202

Co-authored-by: Michael Yingbull <yingbull@users.noreply.github.com>
@github-actions @yingbull
chore: upgrade displaytag 1.2 → hazendaz 2.9.0
d656fbb 
- Update Maven dependency to com.github.hazendaz:displaytag:2.9.0
- Modernize 17-year-old dead dependency with actively maintained fork
- Simplify dependency exclusions (hazendaz uses modern versions)
- Remove exclusions for commons-beanutils, commons-lang, itext
- Keep SLF4J exclusions to avoid conflicts with OpenO's logging

This is a temporary bridge solution. Full migration to DataTables
is planned for Q2 2026 (see issue #2152).

Fixes #2152 (Phase 1 - Upgrade to maintained fork)

IMPORTANT: After merging, run 'make lock' to update dependency lock files.

Co-authored-by: Michael Yingbull <yingbull@users.noreply.github.com>
@yingbull @cubic-dev-ai
Update ManageDashboard2Action.java
14d0811 
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
@yingbull @cubic-dev-ai
Update pom.xml
f40d761 
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
@github-actions @yingbull
fix: add critical security validations for XML file upload
a5ec866 
- Add PathValidationUtils.validateUpload() to prevent path traversal attacks
- Add FEATURE_SECURE_PROCESSING to SchemaFactory for complete XXE protection
- Enforce external DTD/schema access restrictions on SchemaFactory

These changes address security issues identified in code reviews by
cubic-dev-ai and coderabbitai.

Co-authored-by: Michael Yingbull <yingbull@users.noreply.github.com>
@github-actions @yingbull
fix: resolve code review issues in Doc2PDF migration
df4dd81 
- Fix PHI exposure in debug logging (now logs only content length)
- Add explicit UTF-8 encoding to all .getBytes() calls (lines 253, 270, 319)
- Extract duplicated Jsoup configuration to configureJsoupForXhtml() helper
- Add comprehensive JavaDoc to parseJSP2PDF, parseString2PDF, parseString2Bin
- Fix BDD test naming: all tests now follow should<Action>_when<Condition> pattern
- Extract common test setup to @beforeeach to reduce duplication

Co-authored-by: Michael Yingbull <yingbull@users.noreply.github.com>
@yingbull
Merge pull request #2239 from openo-beta/claude/issue-2221-20260129-2325
cd9a539 
chore: upgrade cglib from 2.2.2 to 3.3.0 to resolve ASM conflicts
@yingbull
Apply suggestions from code review
94184b3 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@yingbull
Merge pull request #2242 from openo-beta/claude/issue-2152-20260130-0036
5f34f2e 
chore: upgrade displaytag 1.2 → hazendaz 2.9.0
@yingbull
Merge pull request #2240 from openo-beta/claude/issue-2138-20260130-0004
7d12602
@yingbull
Merge pull request #2238 from openo-beta/claude/issue-2154-20260129-2321
8fd22b4
@github-actions @yingbull
fix: restore backward compatibility in BeanUtilHlp null handling
51267b6 
Change BeanUtilHlp.getPropertyValue() to return "null" string for null
properties instead of empty string, matching Apache Commons BeanUtils
behavior. This maintains compatibility with existing code like
MSPReconcile.java that expects the string "null" for null values.

Co-authored-by: Michael Yingbull <yingbull@users.noreply.github.com>
@yingbull
chore: update lock file for recent dependency updates.
445f78c
@github-actions @yingbull
refactor: migrate BeanComparator to Java Comparator.comparing()
10235b0 
Complete migration from Apache Commons BeanComparator to modern Java 8+
Comparator API. This completes Phase 1 of commons-beanutils removal by
eliminating all remaining Apache Commons BeanUtils dependencies.

Changes:
- Replaced BeanComparator with Comparator.comparing() in 9 files
- Replaced ReverseComparator with .reversed() method
- Removed all org.apache.commons.beanutils imports
- Zero new dependencies (uses built-in Java Comparator)
- Type-safe property references instead of string-based reflection

Benefits:
- Eliminates CVE exposure (CVE-2014-0114, CVE-2019-10086, CVE-2025-48734)
- Better performance (no reflection overhead)
- Compile-time safety (method references vs string property names)
- More maintainable modern Java code

Files migrated:
1. ProviderData.java (2 usages - formattedName sorting)
2. ProviderProperty2Action.java (2 usages - lastName sorting)
3. RptMeasurementTypesBeanHandler.java (2 usages - typeDisplayName, typeDescription)
4. RptLabReportData.java (1 usage - lastName sorting)
5. ThirdApptTimeReporter.java (1 usage - startTime reversed)
6. EctStyleSheetBeanHandler.java (1 usage - id sorting)
7. AppointmentStatusMgrImpl.java (1 usage - id sorting)
8. ProviderNameBeanHandler.java (1 usage - firstName sorting)
9. MsgMessengerGroupData.java (1 usage - lastName sorting)

Related-to: #2202

Co-authored-by: Michael Yingbull <yingbull@users.noreply.github.com>
@yingbull
Merge pull request #2241 from openo-beta/claude/issue-2202-20260130-0031
f77afea
@yingbull
Merge pull request #2246 from openo-beta/chore/lock-update
f78e92d 
chore: update lock file for recent dependency updates.
@yingbull
chore: sonarcube for CI
fd94f36
@yingbull
chore: update to use existing build containers for sonarcube
04a347f
@yingbull
Update .github/workflows/sonarcloud.yml
0fe6e30 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@yingbull @claude
fix: restore hapi parent POM required by hapi-base dependency
83f84f1 
The ca.uhn.hapi:hapi:pom:1.0.1 parent POM was accidentally removed
in a previous cleanup commit. This POM is required by hapi-base:1.0.1
which is still used in the project.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@yingbull
chore: align to current org key, fix cache hash issue sonarcloud
d4fbdbe
@yingbull
chore: sonarcloud setup
3141788
@yingbull
chore: config update for sonarcloud scan
1383f67
@yingbull @claude
chore: add PR decorators to SonarCloud workflow
5937fff 
Split build step into push/PR variants. For PRs, pass sonar.pullrequest.*
parameters to enable inline comments and quality gate status on PRs.

Uses environment variables for safe handling of branch names.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@yingbull
Merge pull request #2251 from openo-beta/chore/sonarcube
6a5b84d 
chore: sonarcube for CI
@LiamStanziani
Copy link
Contributor Author

LiamStanziani commented Feb 18, 2026

Note: This is a WIP PR and will most likely not be set ready for review until later on when needed, I will be updating the PR description if I find any issues at this point

@LiamStanziani LiamStanziani changed the title OpenO EMR Staging 02/17/2026: Security, Dependencies & Documentation [WIP] OpenO EMR Staging 02/17/2026: Security, Dependencies & Documentation Feb 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@LiamStanziani @yingbull