-
Notifications
You must be signed in to change notification settings - Fork 666
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency bumps #1144
Dependency bumps #1144
Conversation
Codecov Report
@@ Coverage Diff @@
## master #1144 +/- ##
========================================
Coverage 80% 80%
- Complexity 3410 3429 +19
========================================
Files 135 135
Lines 22769 22786 +17
Branches 3090 3091 +1
========================================
+ Hits 18225 18245 +20
- Misses 3578 3588 +10
+ Partials 966 953 -13
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
Some tests are broken, but this commit does a few things: * Bumps most dependencies * Removes Spring as it was only used for RestClient * Uses OkHttp since it was already a transitive dependency Remaining issues are related to URL validation for value set expansion. Previous versions of the library were ok with things like `http://snomed.info/sct?fhir_vs=ecl/<<2491000087104`. Not so much anymore.
Fixed some of the cases where invalid characters for URLs are being used in value set expansion URLs
855e661
to
b09baa6
Compare
ObjectMapper objectMapper = new ObjectMapper(); | ||
valueSet = objectMapper.readValue(response.getBody(), | ||
valueSet = objectMapper.readValue(response.body().byteStream(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NULL_DEREFERENCE: object returned by response.body()
could be null and is dereferenced at line 79.
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
Command | Usage |
---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
implementation 'org.yaml:snakeyaml:1.27' | ||
implementation 'org.apache.commons:commons-csv:1.9.0' | ||
implementation 'com.fasterxml.jackson.dataformat:jackson-dataformat-csv:2.13.4' | ||
implementation 'org.yaml:snakeyaml:1.32' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Medium Vulnerability:
pkg:maven/org.yaml/snakeyaml@1.32
0 Critical, 0 High, 1 Medium, 0 Low, 0 None vulnerabilities have been found across 1 dependencies
To see more details about this component, go to the Sonatype Lift console
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
Command | Usage |
---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
|
||
// google guava for some data structures | ||
implementation 'com.google.guava:guava:30.0-jre' | ||
implementation 'com.google.guava:guava:31.1-jre' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Medium Vulnerability:
pkg:maven/com.google.guava/guava@31.1-jre
0 Critical, 0 High, 1 Medium, 0 Low, 0 None vulnerabilities have been found across 1 dependencies
To see more details about this component, go to the Sonatype Lift console
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
Command | Usage |
---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
|
This PR bumps dependencies to eliminate some transitive dependencies on libraries with known vulnerabilities. It also eliminates the dependency on the Spring Framework (!) which was being used solely for its HTTP client. That has now been replaced by OkHttp, which was already a transitive dependency.
An update to the library that is used for URL validation started flagging URLs being constructed for value set expansions. This was fixed by URI encoding some of the characters in the URL, but this should be checked more closely.
This PR bumps the minimum version of Java required to run Synthea to Java 11. This is required to use hapi 6.x.
There are still known issues that will require deeper code changes to fix:
cql-engine
andcql-to-elm
both have vulnerabilities, but the underlying use of CQL will need to be changed to deal with changes in the environment. Perhaps more difficult is that this functionality relies onjsmbl
, which has a critical vulnerability in its most recently released version.graphviz-java
needs to be updates, but API changes break existing code