outdated, vulnerable dependencies in openmrs

teleivo · July 29, 2017, 2:14pm

Hi there!

for quite some time I wanted to go through all openmrs-core dependencies and update them as a lot of them are outdated/vulnerable. I now visualized our dependencies and their state in the openmrs-core readme using http://versioneye.com/ and a badge that leads you to a dashboard.

Seeing this more clearly might help in finding volunteers to step up and update some of them.

I created the OpenMRS organization on versioneye.com, we are using the free plan. Which allows us to add 4 public repositories. I asked their support if there is a way to get more repositories if the repos are open source and coming from a non-profit. Will get back to you once I have an answer.

If anyone has some more ideas on how we could improve our dependency management please tell us or if you just want to team up with me on updating some dependencies just say so there are already a few tickets on jira about updating some dependencies so you can also look for them there.

dkayiwa · July 29, 2017, 9:45pm

@teleivo, this is awesome!!!

tendomart · July 30, 2017, 10:18am

@televio ,this is timely ,i’ve actually come across and had several blockers on some tickets due to outdated dependencies,and created tickets out of them…But that causes a really perpetual chain of problems also…

Am willing to help out, just do the curation

mogoodrich · July 31, 2017, 12:38pm

Pretty cool, thanks @teleivo!

wyclif · July 31, 2017, 8:33pm

This is great @teleivo!

mksd · August 13, 2017, 11:40am

Could upgrading Spring be part of this effort?

dkayiwa · August 13, 2017, 11:54am

@mksd just out of curiosity, do you have any specific features that you are anxiously looking for in a spring upgrade?

teleivo · August 13, 2017, 3:04pm

I have a ticket for upgrading to the latest 4.3.x

I think we should investigate all dependencies. Can they be removed since java 8 has added some features (like Base64 encoding which we did using xerces), or because we moved the UI into its legacy module some things might still be floating around which we dont need.

mksd · August 14, 2017, 1:31pm

For instance look at this new context sensitive unit test in Idgen WS: IdgenIdentifierTypeResourceTest.

I am testing a JSON almost-REST resource. However because this is not a proper REST resource as in REST WS (=it does not extend DataDelegatingCrudResource<?>), I could not directly leverage the test framework shipped with REST WS and I had to do this:

// Setup
MockHttpServletRequest request = new MockHttpServletRequest("GET", ...);
Object handler = handlerMapping.getHandler(request).getHandler();
MockHttpServletResponse response = new MockHttpServletResponse();

// Replay
handlerAdapter.handle(request, response, handler);

Which is fine except that I needed Spring’s AnnotationMethodHandlerAdapter and DefaultAnnotationHandlerMapping that are both being deprecated in Spring 3.0.x.

Cc @sdeepak

See also ‘How to unit test a Spring MVC annotated controller?’