Skip to content

Investigate refactoring out commons-digester3 dependency #2195

Closed
Closed
Investigate refactoring out commons-digester3 dependency#2195
Labels
type: maintenanceCode refactoring, dependency updates
@github-actions

Description

@github-actions
github-actions
bot
opened on Jan 27, 2026

Background

PR #2192 upgrades commons-digester from version 1.8 (released 2006) to commons-digester3 version 3.3 to address security vulnerabilities and improve Java 21 compatibility. However, during code review, several concerns were raised about the digester3 library itself:

  1. Version Issue: Maven Central only has digester3 version 3.2 (not 3.3), which could cause build failures
  2. Security Concerns: The library has transitive dependencies with known CVEs (commons-beanutils):
  3. Unmaintained: The commons-digester3 library itself is effectively unmaintained (last update 2011-2013)
  4. Modern Alternatives: XML parsing in 2026 has better alternatives (Jackson XML, JAXB, simple DOM parsing, etc.)

Current Usage

Digester3 is currently used in 3 files for XML configuration parsing:

1. Measurement Type Configuration

File: src/main/java/ca/openosp/openo/encounter/oscarMeasurements/util/EctFindMeasurementTypeUtil.java
Purpose: Parses XML files that define clinical measurement types (blood pressure, weight, height, etc.) and their validation rules
Pattern: XML → EctFormProp → EctMeasurementTypesBean + EctValidationsBean
Complexity: ~30 lines of digester configuration (lines 58-82)

2. EForm Auto-Population Configuration

File: src/main/java/ca/openosp/openo/eform/EFormLoader.java
Purpose: Parses apconfig.xml to configure database auto-population rules for electronic forms
Pattern: XML → DatabaseAP objects (SQL queries + output formatting)
Complexity: ~15 lines of digester configuration (lines 172-201)

3. Custom Report Configuration

File: src/main/java/ca/openosp/openo/PMmodule/web/reports/custom/UCRConfigurationManager.java
Purpose: Parses custom report configuration XML for program management module
Pattern: XML → UCRConfiguration → DataSource → Form → Item hierarchy
Complexity: ~20 lines of digester configuration (lines 35-77, static initializer)

Investigation Tasks

  • Identify XML schema/format for each of the 3 configuration file types
  • Evaluate replacement options:
    • Jackson XML module (modern, well-maintained)
    • JAXB (Java standard, already in classpath for Java 21)
    • Simple DOM/SAX parsing with manual mapping
    • Other modern XML→POJO libraries
  • Assess migration complexity:
    • Are the XML files simple enough for JAXB annotations?
    • How many configuration files exist in production?
    • Are there any dynamic/runtime configuration patterns that would be difficult to migrate?
  • Security analysis:
    • Do any of these parsers process untrusted XML? (XXE vulnerability risk)
    • Are there any XML external entity references in the config files?
  • Create migration plan if refactoring is feasible
  • Document decision if keeping digester3 is the better choice (with mitigation steps for the beanutils CVEs)

Success Criteria

One of the following outcomes:

  1. Full Migration: Replace digester3 with modern alternative, remove dependency entirely
  2. Partial Migration: Migrate some use cases, document why others remain
  3. Keep with Mitigation: Document why digester3 is retained, implement CVE mitigations (upgrade beanutils to >=1.11.0)

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    type: maintenanceCode refactoring, dependency updates

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions