Updated and removed some dependencies for security purpose (develop/dogfish version)

[LiamStanziani]

This is Kate Yang's PR (#324) but moved to branch off develop/dogfish initially, I have resolved a bunch of conflicts in these changes since develop/coyote and develop/dogfish are pretty different overall.

Summary by Sourcery

Upgrade project dependencies to resolve security vulnerabilities and refactor HTTP and XML handling to modern, secure libraries.

New Features:

• Add file path validation to enforce allowed directories and prevent directory traversal in file-based operations
• Implement secure XML parsing with XXE protection in multiple XML handlers
• Migrate JSP pages to use Apache HttpClient 4.x API and JDOM2

Bug Fixes:

• Exclude or upgrade vulnerable transitive dependencies such as commons-beanutils, ant, netty, jettison, and xalan to address known CVEs
• Resolve security warnings by bumping commons-fileupload, commons-codec, commons-lang3, xmlsec and other libraries

Enhancements:

• Refactor TeleplanAPI and HTTP communication classes to use CloseableHttpClient, HttpClientContext, and RequestConfig
• Replace json-lib and JSONObject usage with Jackson ObjectMapper for JSON serialization
• Sanitize session attribute handling and remove legacy or commented code in CaseManagementEntry2Action
• Migrate OLISProtocolSocketFactory to use Apache HttpClient SSLConnectionSocketFactory

Build:

• Bump HAPI FHIR from 5.4.0 to 6.4.0 and Apache CXF from 3.5.10 to 3.5.11
• Add and manage numerous security-recommended dependencies and exclusions in pom.xml

Tests:

• Add a @before hook to restore database state in IndicatorTemplateXMLTest

Summary by Sourcery

Upgrade dependencies and harden the codebase against security vulnerabilities by bumping and excluding vulnerable libraries, refactoring HTTP and XML handling to modern, secure APIs, and adding runtime checks for file access and JSON/XML processing.

New Features:

• Add file path validation to enforce allowed directories and prevent directory traversal in file-based operations
• Implement secure XML parsing with XXE protection across XML handlers

Bug Fixes:

• Resolve known CVEs by excluding or upgrading vulnerable dependencies such as commons-beanutils, ant, netty, jettison, xalan, and others
• Bump core libraries (commons-fileupload, commons-codec, commons-lang3, xmlsec, HAPI FHIR, Apache CXF) to address security warnings

Enhancements:

• Refactor HTTP interaction classes (TeleplanAPI, HTTP, OntarioMD) to use Apache HttpClient 4.x, RequestConfig, HttpClientContext, and CloseableHttpClient
• Migrate JSON serialization from json-lib to Jackson ObjectMapper and JSP pages to use Apache HttpClient and JDOM2
• Update OLISProtocolSocketFactory to extend SSLConnectionSocketFactory with TLSv1.2 support

Tests:

• Add a @before hook in IndicatorTemplateXMLTest to restore database state

Chores:

• Sanitize session attribute handling and remove legacy or commented code in CaseManagementEntry2Action

[sourcery-ai]

Reviewer's Guide

This PR systematically upgrades and secures project dependencies, refactors HTTP and XML handling to modern, safer libraries, adds directory-traversal protections on file operations, migrates JSON processing to Jackson, and sanitizes session attribute handling in key web actions.

Sequence diagram for secure file validation in TeleplanResponse and TeleplanCodesManager

sequenceDiagram
    participant TeleplanResponse
    participant OscarProperties
    participant File
    participant Security
    TeleplanResponse->>OscarProperties: get DOCUMENT_DIR
    TeleplanResponse->>File: get file path
    TeleplanResponse->>Security: validate file exists and is within allowed directory
    Security-->>TeleplanResponse: throw exception if invalid
    TeleplanResponse->>File: proceed with file operation if valid

Loading

Sequence diagram for secure XML parsing in OntarioMD and PathNet::Connection

sequenceDiagram
    participant OntarioMD
    participant SAXBuilder
    participant Security
    OntarioMD->>SAXBuilder: create SAXBuilder
    OntarioMD->>SAXBuilder: set XXE protection features
    OntarioMD->>SAXBuilder: parse XML InputStream
    Security-->>OntarioMD: prevent XXE attacks

Loading

Sequence diagram for session attribute sanitization in CaseManagementEntry2Action

sequenceDiagram
    actor User
    participant CaseManagementEntry2Action
    participant HttpSession
    User->>CaseManagementEntry2Action: submit form with session attributes
    CaseManagementEntry2Action->>HttpSession: check for null/empty values
    CaseManagementEntry2Action->>HttpSession: set or remove attributes based on validation
    HttpSession-->>CaseManagementEntry2Action: attributes updated

Loading

Class diagram for refactored TeleplanAPI and related classes

classDiagram
    class TeleplanAPI {
        - CloseableHttpClient httpclient
        - HttpClientContext httpContext
        + changePassword(username, password, newPassword, confirmPassword)
        + login(username, password)
        + logoff()
        + getLog(logname, logtype)
        + getLogList()
        + getRemittance(includeRemittance)
        + getAsciiFile(filetype)
        + getAsciiFileMF(filetype)
        + putAsciiFile(File f)
        + putMSPFile(File f)
        + checkElig(phn, dateofbirthyyyy, dateofbirthmm, dateofbirthdd, dateofserviceyyyy, dateofservicemm, dateofservicedd, patientvisitcharge, lasteyeexam, patientrestriction)
    }
    class TeleplanResponse {
        + processResponseStream(InputStream in)
        + getFile()
        + getRealFilename()
    }
    class TeleplanResponseDAO {
        + save(TeleplanResponse tr)
    }
    TeleplanAPI --> TeleplanResponse
    TeleplanAPI --> TeleplanResponseDAO
    TeleplanResponse --> File
    TeleplanResponseDAO --> TeleplanResponse

Loading

Class diagram for updated HTTP and OLISProtocolSocketFactory classes

classDiagram
    class HTTP {
        - String url
        + Get(queryString)
        + GetString(queryString)
    }
    class OLISProtocolSocketFactory {
        + OLISProtocolSocketFactory()
        + createSocket(host, port, localAddress, localPort, timeout)
    }
    OLISProtocolSocketFactory --|> SSLConnectionSocketFactory

Loading

Class diagram for updated OntarioMD class (secure XML parsing)

classDiagram
    class OntarioMD {
        + loginToOntarioMD(username, password, incomingRequestor)
        - parseReturn(InputStream is)
    }

Loading

Class diagram for updated Demographic2Action (Jackson migration)

classDiagram
    class Demographic2Action {
        + getAddressAndPhoneHistoryAsJson()
        + checkForDuplicates()
    }

Loading

Class diagram for updated CaseManagementEntry2Action (session attribute sanitization)

classDiagram
    class CaseManagementEntry2Action {
        + edit()
        + issueNoteSaveJson()
        + issueNoteSave()
        + save()
        + ajaxsave()
        + releaseNoteLock()
        + addNewIssue()
        + issueList()
        + issueSearch()
        + makeIssue()
        + issueAdd()
        + changeDiagnosis()
        + submitChangeDiagnosis()
        + ajaxChangeDiagnosis()
        + issueDelete()
        + issueChange()
        + displayNotes()
        + doDisplayNotes()
        + print()
        + getUnlockedNotesMap()
        + insertReason()
        + convertDateFmt()
        + haveIssue(Long issid, List allNotes)
        + ticklerSaveNote()
    }

Loading

File-Level Changes

Change	Details	Files
Upgrade dependencies and apply security exclusions	Bump HAPI FHIR to 6.4.0 and CXF to 3.5.11 Add and update numerous commons, HTTPClient, JDOM2, Jackson, and OWASP ESAPI versions Exclude or override vulnerable transitive dependencies (commons-beanutils, ant, netty, jettison, xalan) Manage dependency versions and exclusions in pom.xml	pom.xml dependencies-lock.json
Refactor HTTP communication to use CloseableHttpClient and RequestConfig	Replace legacy HttpClient/PostMethod in TeleplanAPI with CloseableHttpClient, HttpClientContext, RequestConfig Refactor HTTP.java and OntarioMD HTTP calls to use HttpClients and HttpGet/HttpPost Update JSP tripsearch to use Apache HttpClient 4.x and EntityUtils Migrate OLISProtocolSocketFactory to SSLConnectionSocketFactory	src/main/java/ca/openosp/openo/billings/ca/bc/Teleplan/TeleplanAPI.java src/main/java/ca/openosp/openo/lab/ca/bc/PathNet/Communication/HTTP.java src/main/java/ca/openosp/openo/utility/OntarioMD.java src/main/java/ca/openosp/openo/olis/OLISProtocolSocketFactory.java src/main/webapp/casemgmt/tripsearch.jsp
Enable secure XML parsing with XXE protection	Configure SAXBuilder and DocumentBuilderFactory to disable external entities and DTDs Protect OntarioMD.parseReturn and PathNet Connection.CreateDocument against XXE Switch to JDOM2 for secure XML parsing in JSPs	src/main/java/ca/openosp/openo/utility/OntarioMD.java src/main/java/ca/openosp/openo/lab/ca/bc/PathNet/Connection.java src/main/webapp/casemgmt/tripsearch.jsp
Add file path validation to prevent directory traversal	Validate file existence and ensure paths start with configured DOCUMENT_DIR Apply checks in ManageTeleplan2Action, TeleplanResponse, TeleplanCodesManager Throw IllegalArgumentException or SecurityException on invalid access	src/main/java/ca/openosp/openo/billings/ca/bc/pageUtil/ManageTeleplan2Action.java src/main/java/ca/openosp/openo/billings/ca/bc/Teleplan/TeleplanResponse.java src/main/java/ca/openosp/openo/billings/ca/bc/Teleplan/TeleplanCodesManager.java
Migrate JSON handling from json-lib to Jackson	Replace JSONArray/JSONObject usage with Jackson ObjectMapper in web actions Set response content type and encoding for JSON output Remove json-lib dependency in favor of faster JSON serialization	src/main/java/ca/openosp/openo/commn/web/Demographic2Action.java
Sanitize session attribute handling and clean up legacy code	Guard setting and removal of session attributes (note_sort, filter_roles, filter_providers, issues) Remove commented-out and unused code blocks in CaseManagementEntry2Action Clean up logger/debug statements and streamline control flow	src/main/java/ca/openosp/openo/casemgmt/web/CaseManagementEntry2Action.java

Possibly linked issues

• Added DownloadInIterceptor import to the classes #1: The PR updates numerous dependencies and refactors code for security, directly addressing the issue's goal of dependency cleanup and security.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	maven/​org.apache.ant/​ant@​1.10.15
	maven/​commons-net/​commons-net@​3.6 ⏵ 3.11.1		+2
	maven/​io.github.bonigarcia/​webdrivermanager@​3.8.1 ⏵ 6.1.0		+75
	maven/​org.apache.cxf/​cxf-core@​3.5.10 ⏵ 3.5.11		+2
	maven/​org.apache.cxf/​cxf-rt-rs-client@​3.5.10 ⏵ 3.5.11
	maven/​commons-beanutils/​commons-beanutils@​1.7.0 ⏵ 1.11.0		+22
	maven/​org.owasp.esapi/​esapi@​2.5.2.0 ⏵ 2.6.2.0		+2
	maven/​org.apache.commons/​commons-lang3@​3.17.0 ⏵ 3.18.0		+2
	maven/​org.apache.cxf/​cxf-rt-frontend-jaxws@​3.5.10 ⏵ 3.5.11
	maven/​org.apache.cxf/​cxf-rt-rs-extension-providers@​3.5.10 ⏵ 3.5.11
	maven/​ca.uhn.hapi.fhir/​hapi-fhir-structures-dstu2@​5.4.0 ⏵ 6.4.0	-61		-11
	maven/​org.jdom/​jdom2@​2.0.6.1
	maven/​org.dom4j/​dom4j@​2.1.4
	maven/​org.glassfish.jersey.core/​jersey-client@​2.39.1
	maven/​org.apache.cxf/​cxf-rt-transports-http@​3.5.10 ⏵ 3.5.11
	maven/​ca.uhn.hapi.fhir/​hapi-fhir-base@​5.4.0 ⏵ 6.4.0	+3		+1	+1
	maven/​org.jetbrains/​annotations@​24.1.0
	maven/​javax.servlet.jsp/​javax.servlet.jsp-api@​2.3.3
	maven/​org.apache.axis2/​axis2@​1.5.4 ⏵ 1.8.0	+74	+4			+20
	maven/​commons-fileupload/​commons-fileupload@​1.5 ⏵ 1.6.0		+16
	maven/​org.apache.cxf/​apache-cxf@​3.5.10 ⏵ 3.5.11
	maven/​ca.uhn.hapi.fhir/​hapi-fhir-structures-dstu3@​5.4.0 ⏵ 6.4.0	-5		-11
	maven/​org.apache.axis2/​axis2-transport-http@​1.5.4 ⏵ 1.8.0
	maven/​org.apache.axis2/​axis2-adb@​1.8.0

View full report

[LiamStanziani]

Should be ready to be reviewed, I am going to look into more testing of this branch and comparing it to develop/dogfish to ensure that no new errors are added in with this, if I find errors that are already in the base branch and aren't noted down, I will add them to this ticket for now: #477

[sourcery-ai]

Hey there - I've reviewed your changes and found some issues that need to be addressed.

Blocking issues:

• Use of StringEscapeUtils.escapeSql does not prevent SQL injection. (link)

General comments:

• I see repeated file‐path validation code in multiple classes—consider extracting that into a shared utility method to reduce duplication and simplify maintenance.
• In TeleplanAPI (and other HTTP helpers) you create a new default HttpClient per request and ignore the configured httpContext/cookieStore—refactor to reuse the same CloseableHttpClient and context so cookie/session settings and timeouts are consistently applied.
• The secure XML parser settings (disabling external entities, DTDs, etc.) are duplicated across handlers—extract a common factory or builder helper to centralize XXE protection configuration.

Prompt for AI Agents

Please address the comments from this code review:
## Overall Comments
- I see repeated file‐path validation code in multiple classes—consider extracting that into a shared utility method to reduce duplication and simplify maintenance.
- In TeleplanAPI (and other HTTP helpers) you create a new default HttpClient per request and ignore the configured httpContext/cookieStore—refactor to reuse the same CloseableHttpClient and context so cookie/session settings and timeouts are consistently applied.
- The secure XML parser settings (disabling external entities, DTDs, etc.) are duplicated across handlers—extract a common factory or builder helper to centralize XXE protection configuration.

## Individual Comments

### Comment 1
<location> `src/main/java/ca/openosp/openo/billings/ca/bc/Teleplan/TeleplanAPI.java:120` </location>
<code_context>
-            PostMethod post = new PostMethod(url);
-            post.setRequestBody(data);
-            httpclient.executeMethod(post);
+        try (CloseableHttpClient httpclient = HttpClients.createDefault()) {
+            HttpPost post = new HttpPost(url);
+            post.setEntity(new UrlEncodedFormEntity(data, "UTF-8"));

-            InputStream in = post.getResponseBodyAsStream();
-            log.debug("INPUT STREAM " + in + "\n");
+            try (CloseableHttpResponse response = httpclient.execute(post)) {
+                InputStream in = response.getEntity().getContent();

</code_context>

<issue_to_address>
Re-instantiating CloseableHttpClient in processRequest may break cookie/session handling.

Using a new CloseableHttpClient for each request prevents reuse of cookies and session state, which may disrupt authentication or session continuity. Please use the shared httpclient and httpContext fields from getClient() to maintain session consistency.
</issue_to_address>

### Comment 2
<location> `src/main/java/ca/openosp/openo/billings/ca/bc/Teleplan/TeleplanAPI.java:139` </location>
<code_context>
+    private TeleplanResponse processRequest(String url, Map<String, Object> parts) {
</code_context>

<issue_to_address>
Multipart handling in processRequest does not support all possible value types.

Currently, only File and String are processed; other types are ignored. Please validate input types or handle unsupported types explicitly to prevent silent failures.
</issue_to_address>

### Comment 3
<location> `src/main/java/ca/openosp/openo/lab/ca/bc/PathNet/Communication/HTTP.java:58` </location>
<code_context>
-        InputStream response = method.getResponseBodyAsStream();
-        method.releaseConnection();
-        return response;
+    public InputStream Get(String queryString) throws IOException {
+        try (CloseableHttpClient client = HttpClients.createDefault()) {
+            URIBuilder uriBuilder = new URIBuilder(url);
+            uriBuilder.setCustomQuery(queryString);
+            HttpGet get = new HttpGet(uriBuilder.build());
+
+            CloseableHttpResponse response = client.execute(get);
+            HttpEntity entity = response.getEntity();
+
+            logger.error("Status code: " + response.getStatusLine().getStatusCode());
+
+            if (entity != null) {
+                return entity.getContent(); // caller must close this InputStream
+            } else {
</code_context>

<issue_to_address>
Returned InputStream from HttpClient must be closed by caller.

This design may cause resource leaks if callers forget to close the InputStream. Please either document this requirement clearly or refactor to ensure resources are released automatically.
</issue_to_address>

### Comment 4
<location> `src/main/java/ca/openosp/openo/utility/OntarioMD.java:101` </location>
<code_context>
     private Hashtable parseReturn(InputStream is) {
         Hashtable h = null;
         try {
+            // Create secure SAXBuilder with XXE protection
+            SAXBuilder parser = new SAXBuilder();

+            // Disable external entity processing to prevent XXE attacks
+            parser.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            parser.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            parser.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            parser.setExpandEntities(false);

-            SAXBuilder parser = new SAXBuilder();
</code_context>

<issue_to_address>
SAXBuilder feature flags may not be supported by all XML parser implementations.

To prevent runtime errors, handle cases where these features are unsupported by catching ParserConfigurationException or verifying feature support before setting them.
</issue_to_address>

<suggested_fix>
<<<<<<< SEARCH
            // Disable external entity processing to prevent XXE attacks
            parser.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
            parser.setFeature("http://xml.org/sax/features/external-general-entities", false);
            parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
            parser.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
            parser.setExpandEntities(false);
=======
            // Disable external entity processing to prevent XXE attacks
            try {
                parser.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
            } catch (Exception ex) {
                MiscUtils.getLogger().warn("Could not set feature disallow-doctype-decl: " + ex.getMessage());
            }
            try {
                parser.setFeature("http://xml.org/sax/features/external-general-entities", false);
            } catch (Exception ex) {
                MiscUtils.getLogger().warn("Could not set feature external-general-entities: " + ex.getMessage());
            }
            try {
                parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
            } catch (Exception ex) {
                MiscUtils.getLogger().warn("Could not set feature external-parameter-entities: " + ex.getMessage());
            }
            try {
                parser.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
            } catch (Exception ex) {
                MiscUtils.getLogger().warn("Could not set feature load-external-dtd: " + ex.getMessage());
            }
            try {
                parser.setExpandEntities(false);
            } catch (Exception ex) {
                MiscUtils.getLogger().warn("Could not set expandEntities: " + ex.getMessage());
            }
>>>>>>> REPLACE

</suggested_fix>

### Comment 5
<location> `src/main/java/ca/openosp/openo/commn/web/Demographic2Action.java:274` </location>
<code_context>
+        result.put("hasDuplicates", !duplicateList.isEmpty());

-        JSONUtil.jsonResponse(response, JSONObject.fromObject(result));
+        response.setContentType("application/json");
+        response.setCharacterEncoding("UTF-8");
+        try {
+            new ObjectMapper().writeValue(response.getWriter(), result);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }

         return null;
</code_context>

<issue_to_address>
Exception handling in checkForDuplicates may leak stack traces to client.

Instead of printing the stack trace, log the error and return a generic error message to the client to prevent exposing internal details.
</issue_to_address>

### Comment 6
<location> `src/main/java/ca/openosp/openo/report/pageUtil/RptByExamplesFavorite2Action.java:79` </location>
<code_context>
+            String favoriteName = this.getFavoriteName();
+            String query = this.getQuery();
+
+            String queryWithEscapeChar = StringEscapeUtils.escapeSql(query);///queryWithEscapeChar);
+            MiscUtils.getLogger().debug("escapeSql: " + queryWithEscapeChar);
+            write2Database(providerNo, favoriteName, queryWithEscapeChar);
         }

</code_context>

<issue_to_address>
Use of StringEscapeUtils.escapeSql does not prevent SQL injection.

Use prepared statements or parameterized queries instead of escaping SQL to prevent injection vulnerabilities.
</issue_to_address>

### Comment 7
<location> `src/main/java/ca/openosp/openo/billings/ca/bc/pageUtil/ManageTeleplan2Action.java:164` </location>
<code_context>
 REM076 **                                                             **        
      */
     public List parse(File f) throws Exception {
+        // Validate that the file exists and is within allowed directory
+        if (!f.exists() || !f.isFile()) {
+            throw new IllegalArgumentException("Invalid file");
+        }
+        
+        // Define allowed directory (configure this based on your needs)
</code_context>

<issue_to_address>
File path validation logic may not handle symbolic links or case sensitivity.

Using startsWith on normalized paths may not reliably restrict access, especially with symlinks or on case-insensitive file systems. Consider Files.isSameFile or similar methods for robust validation.
</issue_to_address>

### Comment 8
<location> `src/main/java/ca/openosp/openo/billings/ca/bc/Teleplan/TeleplanResponse.java:91` </location>
<code_context>
                 File file2 = new File(directory + realFilename);
+
+                // Validate that the file exists and is within allowed directory
+                if (!file2.exists() || !file2.isFile()) {
+                    throw new IllegalArgumentException("Invalid file");
+                }
+                
+                // Define allowed directory (configure this based on your needs)
+                File allowedDir = new File(OscarProperties.getInstance().getProperty("DOCUMENT_DIR"));
+                
+                // Convert to Path and normalize
+                Path filePath = file2.toPath().normalize().toAbsolutePath();
+                Path allowedPath = allowedDir.toPath().normalize().toAbsolutePath();
+                
+                if (!filePath.startsWith(allowedPath)) {
+                    throw new SecurityException("File access not allowed outside designated directory");
+                }
</code_context>

<issue_to_address>
File existence check may fail if file is not yet created.

Since file2 is only created after the rename, checking its existence beforehand will always fail. Instead, validate the existence of the source file or adjust the logic order.
</issue_to_address>

### Comment 9
<location> `src/main/java/ca/openosp/openo/casemgmt/web/CaseManagementEntry2Action.java:490` </location>
<code_context>
-        session.setAttribute("filter_roles", request.getParameterValues("filter_roles"));
-        session.setAttribute("filter_provider", request.getParameterValues("filter_providers"));
-        session.setAttribute("issues", request.getParameterValues("issues"));
+        String noteSort = request.getParameter("note_sort");
+        if (noteSort != null) {
+            session.setAttribute("note_sort", noteSort);
</code_context>

<issue_to_address>
Consider extracting a helper method to handle session attribute setting and removal for null or empty values.

Consider extracting a small helper to collapse all of these null/empty checks. For example, in your Action (or a shared util) add:

```java
private void setOrRemove(HttpSession session, String key, String value) {
  if (value != null) {
    session.setAttribute(key, value);
  }
}

private void setOrRemove(HttpSession session, String key, String[] values) {
  if (values == null) {
    return;
  } else if (values.length > 0) {
    session.setAttribute(key, values);
  } else {
    session.removeAttribute(key);
  }
}
```

Then replace the verbose blocks with just:

```java
setOrRemove(session, "note_sort", request.getParameter("note_sort"));
setOrRemove(session, "filter_roles", request.getParameterValues("filter_roles"));
setOrRemove(session, "filter_provider", request.getParameterValues("filter_providers"));
setOrRemove(session, "issues", request.getParameterValues("issues"));
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[LiamStanziani]

Looks like I missed the sourcery PR review, I will review these changes first thing in the mourning

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		maven/com.ibm.icu/icu4j@72.1 has Obfuscated code. Confidence: 0.90 Location: Package overview From: pom.xml → maven/ca.uhn.hapi.fhir/hapi-fhir-structures-dstu3@6.4.0 → maven/com.ibm.icu/icu4j@72.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/com.ibm.icu/icu4j@72.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report