Updated and removed some dependencies for security purpose

[kateyang1998]

Issue described in #322

Summary by Sourcery

Secure project dependencies by bumping library versions, adding security-focused libraries, and excluding vulnerable transitive dependencies

New Features:

• Add commons-beanutils 1.11.0, dom4j 2.1.4, and OWASP ESAPI 2.6.2.0 as direct dependencies

Enhancements:

• Upgrade HAPI FHIR to 6.4.0, MySQL Connector/J to 9.3.0, WebDriverManager to 6.1.0, and Apache CXF HTTP transport to 3.3.0
• Exclude commons-beanutils from multiple dependencies to mitigate security vulnerabilities
• Exclude xalan, serializer, Bouncy Castle, and ESAPI transitive libraries from specific dependencies

[sourcery-ai]

Reviewer's Guide

This PR strengthens security by upgrading several dependencies to safer versions, adding direct management of vulnerable libraries, and systematically excluding risky transitive dependencies in the Maven configuration.

File-Level Changes

Change	Details	Files
Upgraded primary dependencies to newer, secure versions	Bumped HAPI FHIR from 5.4.0 to 6.4.0 Updated MySQL connector to com.mysql:mysql-connector-j 9.3.0 Advanced WebDriverManager from 3.8.1 to 6.1.0 Set CXF transports HTTP to 3.3.0 and added CXF WS-Security 3.2.0	pom.xml
Introduced direct dependency declarations for better control	Added commons-beanutils 1.11.0 Added dom4j 2.1.4 Added OWASP ESAPI 2.6.2.0	pom.xml
Excluded vulnerable transitive dependencies	Excluded commons-beanutils variants from multiple Apache Commons and third-party modules Excluded Xalan and serializer from XML-related dependencies Excluded BouncyCastle and ESAPI from CXF and Woodstox configurations	pom.xml
Removed obsolete or insecure artifacts	Replaced old mysql-connector-java entry with com.mysql connector Commented unnecessary dependency link causing 404 when removed	pom.xml

Possibly linked issues

• Update dependencies by Dependabot suggestion #322: The PR updates and removes dependencies in pom.xml to fix security vulnerabilities as described in the issue.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @kateyang1998 - I've reviewed your changes - here's some feedback:

• Consider consolidating repeated transitive exclusions and version overrides into a dependencyManagement section to reduce duplication.
• Align CXF module versions—cxf-rt-ws-security is still at 3.2.0 while transport is 3.3.0—to avoid incompatibilities.
• Remove redundant exclusions for libraries now included directly (e.g., ESAPI, dom4j, Beanutils) to simplify your POM.

Prompt for AI Agents

Please address the comments from this code review:
## Overall Comments
- Consider consolidating repeated transitive exclusions and version overrides into a dependencyManagement section to reduce duplication.
- Align CXF module versions—cxf-rt-ws-security is still at 3.2.0 while transport is 3.3.0—to avoid incompatibilities.
- Remove redundant exclusions for libraries now included directly (e.g., ESAPI, dom4j, Beanutils) to simplify your POM.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[yingbull]

can you explain this? we are excluding cxf?

[yingbull]

Overall we need more documentation; it helps reviewers and further people working on the code.

[kateyang1998]

@yingbull, these are the libraries that triggered the security issues, but are not being used. Excluding them won't impact cxf's functionality in our project, I will add some comments.

[kateyang1998]

@yingbull added comments.

[yingbull]

@kateyang1998 could you resolve the conflicts and test this is still good and working when merged in with current coyote, and I will finish the review? Change it from draft to ready to review when that is the case.

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		com.ibm.icu/icu4j@72.1 has Obfuscated code. Confidence: 0.90 Location: Package overview From: pom.xml → maven/ca.uhn.hapi.fhir/hapi-fhir-structures-dstu3@6.4.0 → maven/com.ibm.icu/icu4j@72.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/com.ibm.icu/icu4j@72.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[kateyang1998]

@kateyang1998 could you resolve the conflicts and test this is still good and working when merged in with current coyote, and I will finish the review? Change it from draft to ready to review when that is the case.

There are 46 compilation errors after merged with coyote, resolving now

[kateyang1998]

@yingbull all good now.

[kateyang1998]

@yingbull there are some error after resolve the conflict, I'm looking into them now.

[sourcery-ai]

Sorry @kateyang1998, you have reached your 24-hour rate limit for Sourcery. Please try again later

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	org.apache.ant/​ant@​1.10.15
	org.apache.santuario/​xmlsec@​2.3.4
	org.owasp.esapi/​esapi@​2.6.2.0
	commons-net/​commons-net@​3.6 ⏵ 3.11.1		+2
	io.github.bonigarcia/​webdrivermanager@​3.8.1 ⏵ 6.1.0		+75
	org.apache.cxf/​cxf-core@​3.5.10 ⏵ 3.5.11		+2
	org.apache.cxf/​cxf-rt-rs-client@​3.5.10 ⏵ 3.5.11
	commons-beanutils/​commons-beanutils@​1.7.0 ⏵ 1.11.0		+22
	org.apache.commons/​commons-lang3@​3.17.0 ⏵ 3.18.0		+2
	org.apache.cxf/​cxf-rt-frontend-jaxws@​3.5.10 ⏵ 3.5.11
	org.apache.cxf/​cxf-rt-rs-extension-providers@​3.5.10 ⏵ 3.5.11
	ca.uhn.hapi.fhir/​hapi-fhir-structures-dstu2@​5.4.0 ⏵ 6.4.0	-61		-11
	org.jdom/​jdom2@​2.0.6.1
	org.dom4j/​dom4j@​2.1.4
	org.glassfish.jersey.core/​jersey-client@​2.39.1
	org.apache.cxf/​cxf-rt-transports-http@​3.5.10 ⏵ 3.5.11
	ca.uhn.hapi.fhir/​hapi-fhir-base@​5.4.0 ⏵ 6.4.0	+3		+1	+1
	javax.servlet.jsp/​javax.servlet.jsp-api@​2.3.3
	org.apache.axis2/​axis2@​1.5.4 ⏵ 1.8.0	+74	+4			+20
	commons-fileupload/​commons-fileupload@​1.5 ⏵ 1.6.0		+16
	org.apache.cxf/​apache-cxf@​3.5.10 ⏵ 3.5.11
	ca.uhn.hapi.fhir/​hapi-fhir-structures-dstu3@​5.4.0 ⏵ 6.4.0	-5		-11
	org.apache.axis2/​axis2-transport-http@​1.5.4 ⏵ 1.8.0
	org.apache.axis2/​axis2-adb@​1.8.0

View full report

[yingbull]

Thanks for the work on this! It is generating JSP errors on compile though.

@LiamStanziani can you review this when you start back, and see what we've learned here we can apply to a new branch/pr against Dogfish?

recall

[yingbull]

many compile errors on jsps.

[LiamStanziani]

PR is fully passing now (fixed up remaining jsp compilation errors, CodeQL, and test failures). I would like to test this to ensure nothing is breaking with these changes.

@yingbull would you like me to still move the changes over to a develop/dogfish branch? or would you like this to be merged into develop/coyote and then moved over through a merge?

[yingbull]

if this is targeting coyote, confirm it is working well and we can merge to coyote.

If you can cleanly enough merge to dogfish, I am okay with it - depending on what files are touched that may be fine, or ugly.

In generally my approach here on would be to be pr to just dogfish.

[LiamStanziani]

I think the PR is working well, although after further review I think the merge to dogfish will be quite ugly. I am going to create a branch off dogfish and move it over as you said before

[LiamStanziani]

Closing this PR since it has been moved and merged to a branch based off of develop/dogfish, merging this would probably cause issues as well.

PR: #494