Upgrade to JDK 17 and other related version upgrades

[vivekmittal07]

We need to upgrade the spring-boot.version from 2.7.5 to 3.0.6. This requires us to upgrade to java17.

We should also make all other upgrade PRs created by dependabot

[bashir2]

Just to add some context here: Beside dealing with the usual dependabot alerts/PRs for version upgrades, another motivation for Spring version upgrade is this security vulnerability which is CVE-2016-1000027. I have not investigated the details but if switching to Spring 6+ is a major issue (e.g., for our usage of HAPI) then we may want to look at details of the vulnerability and decide whether to do the upgarde or not.

[bashir2]

BTW, @vivekmittal07 the issues that you are facing with HAPI might be due to the javax to jakarta namespace migration as described here.

[vivekmittal07]

Thanks Bashir!

Issue after upgrading the dependency - None of the servlets seem to be loading. For any FHIR endpoint server throws Not Found exception.

@bashir2 Like you mentioned the issue is due to migration to jakarta namespace. There is an open issue on HAPI Fhir server for this - https://github.com/hapifhir/hapi-fhir/issues/2082 There is significant interest in the community and they should update the timelines soon - https://github.com/hapifhir/hapi-fhir/issues/2082#issuecomment-1487522382

Till this is fixed I think we can't upgrade the spring version. I will look at the vulnerability and see if this impacts us and what are the mitigation steps.

[vivekmittal07]

This vulnerability was found in the Spring Remoting technologies - https://github.com/spring-projects/spring-framework/issues/25379 https://docs.spring.io/spring-framework/docs/3.2.0.M2/reference/html/remoting.html

They seem to have deprecated the following packages - https://github.com/spring-projects/spring-framework/issues/25379#issuecomment-656237016

HAPI should not be using any of these remoting technologies as it just provides a framework to create a FHIR server. To confirm I downloaded the HAPI source code and ran the following to look for any import dependancy on the impacted libraries -

• grep "org.springframework.remoting" -R .
• grep "org.springframework.jms.remoting" -R . There were no references in the source code.

Search for "phasing out serialization-based remoting" in https://docs.spring.io/spring-framework/docs/5.3.15/javadoc-api/deprecated-list.html. This shows list of impacted packages. Above search looks for dependency on these packages.

I think it is safe to say that the vulnerability doesn't affect us. @bashir2 Ptal and let me know what you think.

[vivekmittal07]

We cannot migrate to new spring version unless Hapi does the migration - https://github.com/hapifhir/hapi-fhir/issues/2082 The vulnerability reported in Spring should not affect as explained in https://github.com/google/fhir-gateway/issues/155#issuecomment-1523034597.

We will not do the migration to new Spring version.

[bashir2]

Reopening this issue to revisit once HAPI does the same upgrade (details).

[bashir2]

Now that hapifhir/hapi-fhir#2082 is fixed and HAPI 7.0 is released we should do the various version upgrades mentioned in this issue (that were blocked before).