Bugs/Improvements

• [index] resolve upgrade issue with no longer applicable revisions considered during revision compare (#1398)
• [core] additional term filter (regex, wildcard) infrastructure for request API implementors (#1397)
• [api] ensure that large zip files properly get uploaded without making them broken (#1394)
• [log] support JSON log formatting via logback logstash encoder (#1395)

Security

• GHSA-xffm-g5w8-qvg7, CVE-2025-7783, CVE-2025-48924, CVE-2025-22233, CVE-2025-41234 (#1400) and many others via Eclipse and Jetty upgrade (#1394)

Dependencies

• Eclipse Platform to 4.35 (2025-03)
• Bump Jetty to 12.0.21
• Bump EMF to 2.42.0
• Bump Xtext to 2.38.0
• Bump Bouncycastle to 1.80.0
• Bump SLF4J to 2.0.16 and Logback to 1.5.16
• Bump OWLAPI to 4.5.27.b2i and Protege to 5.0.8.b2i
• Bump fastutil to 8.5.16
• FHIR Core to 0.3.2
• Bump Spring to 6.2.9
• Bump Spring Security to 6.5.2
• Bump SpringDoc to 2.8.9
• Bump Swagger to 2.2.30
• Bump micrometer to 1.14.9
• Bump Apache Commong Lang3 to 3.18.0
• Bump AssertJ to 3.27.3

Bugs/Improvements

• [snomed] fixed an issue where persisting certain changes from a server-side Groovy script could lead to missing authorization token issues (#1391)
• [snomed] fix an issue where exporting a SNOMED CT References to DSV format could result in incorrectly formatted export when a given concept does not have a value for a selected property (#1387)
• [snomed] fix a potential NPE when running validation rule 663 (#1389)
• [snomed] fixed an issue where old concrete data type reference set members were incorrectly imported to the system in case of invalid or missing data type to refsetId configuration (#1390)

Packaging

• Update base Docker image Ubuntu version to 24.04

Dependencies

• Bump embedded Elasticsearch to 7.17.28
• Bump Elasticsearch 8 client to 8.18.0
• Bump Jackson to 2.18.3
• Bump Spring to 6.2.6
• Bump Spring Security to 6.4.5
• Bump Spring Boot to 3.4.5
• Bump SpringDoc to 2.8.6
• Bump Swagger Jakarta to 2.2.29
• Bump micrometer to 1.14.5

Java 21

This release changes the primary Java version from 17 LTS to 21 LTS. Release packages and docker images come with a pre-installed Eclipse Temurin build.

Bugs/Improvements

• [core] ensure that suggestion context considers only matching languages when determining search corpus (590fdb6)
• [api] prevent refreshing a token issued by another server (#1374)
• [api] ensure that proper response media type is present in SNOMED CT RF2 Export endpoint (c498a5d)
• [fhir] properly response with HTTP 400 when URL is not set in CodeSystem$validate-code (395abe7)
• [fhir] support two digit versions in $versions, _format and Accept header (#1382)
• [fhir] fixed an issue where submitting an R4 ConceptMap resulted in a no class def found error (962806e)

Security

• Mitigate CVE-2025-27152, CVE-2025-27789, CVE-2024-53382, CVE-2025-31486, CVE-2025-31125, CVE-2025-30208, CVE-2025-24010, CVE-2025-25193, CVE-2025-24970, CVE-2025-22223, CVE-2025-22228 security issues

Dependencies

• Add bouncycastle 1.77.0
• Bump Elasticsearch 8 client to 8.17.3
• Bump Groovy to 3.0.24
• Bump Spring to 6.2.5
• Bump Spring Security to 6.4.4
• Bump Netty to 4.1.119.Final
• Bump Apache Commons IO to 2.18.0
• Bump FHIR Core to 0.3.1
• Bump Tycho to 4.0.12

Core

• Allow specifying and using multiple identity providers with the same type (#1364)
  • This allows system integrators to have multiple same type identity providers (e.g. file, ldap, jwks) in the snowowl.yml configuration file
  • Snow Owl will make sure that authorization headers coming from various identity providers will be properly recognized, even if there are other same type providers present in the system

Bugs/Improvements

• [index] ensure that stop_words are not included in the top token count when suggesting concepts (ef84836)
• [index] ensure the enum type field in document mapping does not produce JSON parse errors during confict detection (#1366)
• [core] ensure that min should match based term filtering in all APIs finds exact matches and prioritizes them over other matches (ad7ba13)
• [auth] introduce a read permission operation alias for browse (#1361)
• [auth] disallow token permission abuse when refreshing a previously generated API token (#1362)
• [auth] improve error message when trying authenticate without a kid token in a jwks provider (716c406)
• [auth] ensure that unprotected requests does not respond with HTTP 401 Unauthorized when the Authorization header contains an invalid value (#1368)

Bugs/Improvements

• [core] add syntactic sugar getSync method for millisec based timeouts (c22cf5a)

Core

• New, improved branch locking capabilities for more reliable lock management during transactions (#1353)

FHIR

• Support RFC7240 Prefer header (#1336)
  • Prefer handling=lenient and handling=strict are supported values
  • Default behavior is lenient to keep compatibility with older systems
• Improve compatibility with BCP-47 language tags (#1339)
  • Support the official SNOMED on FHIR BCP-47 private use language tag format

SNOMED CT

• Reintroduce and improved 7.x style SNOMED CT Reference Set to DSV exporter (Java API only) (#1349, #1351)

Security

• Mitigate CVE-2024-38821, CVE-2024-47764, CVE-2024-29025, CVE-2024-47535

Bugs/Improvements

• [core] fixed an issue where certain async executed requests would not propagate authorization information properly and resulted in missing authorization token errors (#1346)
• [snomed] prevent failing RF2 imports when an existing remote job document is too large for the current Elasticsearch sizing (#1344)
• [snomed] ensure that only RF2 Delta import generate actual visited component results in the remote job index (#1344)
• [snomed] exclude irrelevant axiom types when validation SNOMED CT content based on MRCM (#1342)
• [snomed] significantly improve performance of bulk SNOMED CT component inactivations by caching association refsets and skipping zero result query executions (#1350)

Dependencies

• Upgrade fhir-core to 0.2.0 (hl7.fhir.core 6.4.0)
• Upgrade Spring to 6.2.0
• Upgrade Spring Security to 6.4.1
• Upgrade SpringDoc to 2.7.0
• Upgrade Swagger libraries to 2.2.25
• Upgrade Netty to 4.1.115.Final
• Upgrade Tycho to 4.0.10

FHIR

• Complete support for R4, R4B and R5 formats (#1323, #1332)
  • Implementation is now based on the official HL7 Java model libraries and convertors through a thin wrapper (https://github.com/b2ihealthcare/fhir-core)
  • New GET CapabilityStatement$versions operations endpoint to list the available supported FHIR versions
  • Support for fhirVersion=4.0.1|4.3.0|5.0.0 mime-type parameter in Accept, Content-Type headers
  • Support all accepted mime-type variants in the _format query parameter as well (including versioned forms)
  • Default format is R5 for all media types
• SNOMED CT concept lookups now include a Designation extension that describes additional contexts where the Designation can be used (#1334)
  • Define in https://confluence.ihtsdotools.org/display/FHIR/Designation+extension

SNOMED CT

• Upgrade ECL to 2.2 (#1331)
  • Support the complete ECL 2.2 syntax
  • Support evaluation of Top and Bottom operators

Security

• Replace CRA with Vite to mitigate all API site security vulnerabilities (df334fe)
• Mitigate CVE-2024-43788, CVE-2024-4067, CVE-2024-38816, CVE-2024-45296, CVE-2024-43796, CVE-2024-45590, CVE-2024-43800, CVE-2024-43799, CVE-2024-47068, CVE-2022-22978

Bugs/Improvements

• [fhir] generate correct FHIR CapabilityStatement operation definition resources (12ab565)
• [mrcm] validation rule evaluation now properly considers the current set of modules (#1333)

Dependencies

• Upgrade Spring to 6.1.3
• Upgrade Spring Security to 6.3.3
• Upgrade Rapidoc libraries to 9.3.6

Core

• Introduce 'sourceOf' dependency scope (#1327)
  • Special scope marker to indicate that a resource is used as a source of another
  • When versioning a resource, all sourceOf dependencies will be versioned with it at the same time

SNOMED CT

• Introduce snomed.mrcm.allowedDataAttributesExpression and snomed.mrcm.allowedObjectAttributesExpression configurations (#1325)
  • By default they use the corresponding attribute concept's descendants from SNOMED CT International Edition
  • They can be changed to accommodate additional requirements (e.g. allow additional hierarchies to be used as relationship types)

Validation

• Validation threading changes (#1320)
  • Introduce validation.workerPoolSize configuration setting
  • Deprecate validation.numberOfValidationThreads configuration setting
  • Increased allowed maximum pool size to 99
  • A more reasonable default pool size is computed based on the available resources on the current node

Bugs/Improvements

• [core] improve detection of non-connected cycles in SimpleTaxonomyGraph (#1322)
• [api] fixed an issue where retrieving validation results could result in a server error (#1310)
• [snomed] ensure that concrete data type reference sets can be created for concept component types (e4525b1)
• [snomed] fixen an issue where language configuration merging could result in serialization error (796f1f4)
• [classification] increase page size when gathering information for classification runs (ac34e31)

Bugs/Improvements

• [api] Java API improvements to allow updating concept members selectively only for certain refset types (#1311)
• [logging] remove log4j jars and use proper SLF4J bridge (#1315)
• [security] mitigate vulnerabilities CVE-2024-23444, CVE-2024-23450, CVE-2024-37890, CVE-2024-4068, CVE-2024-29415, CVE-2024-33883, CVE-2024-29041, CVE-2024-29180, CVE-2024-28849, CVE-2024-39338, CVE-2024-22257, CVE-2024-22259, CVE-2024-22262

Dependencies

• Bumped Elasticsearch to 7.17.23
• Bumped Elasticsearch Java Client to 8.15.0
• Removed Apache Log4j 1.2.25

Bugs/Improvements

• [core] add method to detect Win 11 OS (#1300)
• [core] consider transaction changeset when checking referential integrity checks, like ensure presence of a certain component before commit (#1303)
• [api] support timeout parameter configuration in Lock Java API with a default value of 3s (#1298)
• [api] support expansion of type and destination fields for expanded owlRelationships on axiom members (#1301)
• [api] support disabling duplicate preferred term check on a per request basis (#1308)
• [fhir] fixed an issue that caused internal server error logs not being reported to the log stream when using the FHIR API (5701a72)
• [classification] restore old concrete domain member inference logic when old concrete domain support is enabled in the system (#1302)
• [releng] change b2i.sg URLs to b2ihealthcare.com (e.g. https://artifacts.b2ihealthcare.com) (#1304)