6056 drop derby jars (#6057)

* Remove most of derby, add changelog

* Upgrade information

* Upgrade notes, bump to jdk17 version

* Fix issue#

hapi-deployable-pom/pom.xml

@@ -78,18 +78,6 @@
 							<groupId>com.google.code.findbugs</groupId>
 							<artifactId>annotations</artifactId>
 						</dependency>
-						<dependency>
-							<groupId>org.apache.derby</groupId>
-							<artifactId>derbyclient</artifactId>
-						</dependency>
-						<dependency>
-							<groupId>org.apache.derby</groupId>
-							<artifactId>derbynet</artifactId>
-						</dependency>
-						<dependency>
-							<groupId>org.apache.derby</groupId>
-							<artifactId>derbyclient</artifactId>
-						</dependency>
 						<dependency>
 							<groupId>org.checkerframework</groupId>
 							<artifactId>checker-compat-qual</artifactId>

hapi-fhir-cli/hapi-fhir-cli-api/pom.xml

@@ -84,11 +84,6 @@
 			<groupId>commons-cli</groupId>
 			<artifactId>commons-cli</artifactId>
 		</dependency>
-
-		<dependency>
-			<groupId>org.apache.derby</groupId>
-			<artifactId>derby</artifactId>
-		</dependency>
 		<dependency>
 			<groupId>com.h2database</groupId>
 			<artifactId>h2</artifactId>

hapi-fhir-docs/src/main/resources/ca/uhn/hapi/fhir/changelog/7_4_0/6056-drop-derby.yaml

@@ -0,0 +1,5 @@
+---
+type: remove
+issue: 6056
+title: "The Derby JARs have been removed from this release. The older versions have multiple high-severity vulnerabilities against them, and the newer versions force usage of Java 21, which HAPI-FHIR does not yet support.
+If you wish to continue to use derby, you will have to provide the `derby`, `derbyclient`,`derbynet`, `derbyshared`, and `derbytools` jars on your classpath."

hapi-fhir-docs/src/main/resources/ca/uhn/hapi/fhir/changelog/7_4_0/upgrade.md

@@ -1,3 +1,14 @@
+## Derby JARs removed from HAPI-FHIR 
+As of Derby 17, in order to support JDK17, the jars must be built from source, as the default package supports JDK21. Due to a [high severity vulnerability](https://github.com/hapifhir/hapi-fhir/issues/5471) in older versions, and a lack of appetite to host 
+a forked packaged version of Derby, the Derby JARs have been removed from the HAPI-FHIR distribution. For those who wish to continue to use Derby, you may still do so, but the following jars must be manually added
+to your classpath: 
+
+- [derby](https://mvnrepository.com/artifact/org.apache.derby/derby)
+- [derbyclient](https://mvnrepository.com/artifact/org.apache.derby/derbyclient)
+- [derbyshared](https://mvnrepository.com/artifact/org.apache.derby/derbyshared) 
+- [derbynet](https://mvnrepository.com/artifact/org.apache.derby/derbynet)
+- [derbytools](https://mvnrepository.com/artifact/org.apache.derby/derbytools)
+
 ## Possible migration errors on SQL Server (MSSQL)
 
 * This affects only clients running SQL Server (MSSQL) who have custom indexes on `HFJ_SPIDX` tables, which

hapi-fhir-jpaserver-elastic-test-utilities/pom.xml

@@ -67,10 +67,6 @@
 			<groupId>com.h2database</groupId>
 			<artifactId>h2</artifactId>
 		</dependency>
-		<dependency>
-			<groupId>org.apache.derby</groupId>
-			<artifactId>derby</artifactId>
-		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-test</artifactId>

hapi-fhir-jpaserver-test-utilities/pom.xml

@@ -81,14 +81,6 @@
 			<groupId>com.h2database</groupId>
 			<artifactId>h2</artifactId>
 		</dependency>
-		<dependency>
-			<groupId>org.apache.derby</groupId>
-			<artifactId>derby</artifactId>
-		</dependency>
-		<dependency>
-			<groupId>org.apache.derby</groupId>
-			<artifactId>derbytools</artifactId>
-		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-test</artifactId>

hapi-fhir-jpaserver-test-utilities/src/test/java/ca/uhn/fhir/jpa/migrate/taskdef/BaseTest.java

@@ -56,27 +56,27 @@ public abstract class BaseTest {
 			}
 		});
 
-		// Derby
-		retVal.add(new Supplier<TestDatabaseDetails>() {
-			@Override
-			public TestDatabaseDetails get() {
-				String url = "jdbc:derby:memory:" + DATABASE_NAME + UUID.randomUUID() + ";create=true";
-				DriverTypeEnum.ConnectionProperties connectionProperties = DriverTypeEnum.DERBY_EMBEDDED.newConnectionProperties(url, "SA", "SA");
-				BasicDataSource dataSource = new BasicDataSource();
-				dataSource.setUrl(url);
-				dataSource.setUsername("SA");
-				dataSource.setPassword("SA");
-				dataSource.setDriverClassName(DriverTypeEnum.DERBY_EMBEDDED.getDriverClassName());
-				HapiMigrator migrator = new HapiMigrator(SchemaMigrator.HAPI_FHIR_MIGRATION_TABLENAME, dataSource, DriverTypeEnum.DERBY_EMBEDDED);
-				return new TestDatabaseDetails(url, connectionProperties, dataSource, migrator);
-			}
-
-			@Override
-			public String toString() {
-				return "Derby";
-			}
-		});
-
+//		 Derby
+//		retVal.add(new Supplier<TestDatabaseDetails>() {
+//			@Override
+//			public TestDatabaseDetails get() {
+//				String url = "jdbc:derby:memory:" + DATABASE_NAME + UUID.randomUUID() + ";create=true";
+//				DriverTypeEnum.ConnectionProperties connectionProperties = DriverTypeEnum.DERBY_EMBEDDED.newConnectionProperties(url, "SA", "SA");
+//				BasicDataSource dataSource = new BasicDataSource();
+//				dataSource.setUrl(url);
+//				dataSource.setUsername("SA");
+//				dataSource.setPassword("SA");
+//				dataSource.setDriverClassName(DriverTypeEnum.DERBY_EMBEDDED.getDriverClassName());
+//				HapiMigrator migrator = new HapiMigrator(SchemaMigrator.HAPI_FHIR_MIGRATION_TABLENAME, dataSource, DriverTypeEnum.DERBY_EMBEDDED);
+//				return new TestDatabaseDetails(url, connectionProperties, dataSource, migrator);
+//			}
+//
+//			@Override
+//			public String toString() {
+//				return "Derby";
+//			}
+//		});
+//
 		return retVal.stream();
 	}
 

hapi-fhir-sql-migrate/pom.xml

@@ -54,11 +54,13 @@
 			<groupId>org.apache.derby</groupId>
 			<artifactId>derby</artifactId>
 			<scope>test</scope>
+			<version>10.16.1.1</version>
 		</dependency>
 		<dependency>
 			<groupId>org.apache.derby</groupId>
 			<artifactId>derbytools</artifactId>
 			<scope>test</scope>
+			<version>10.16.1.1</version>
 		</dependency>
 		<dependency>
 			<groupId>org.postgresql</groupId>

pom.xml

@@ -969,8 +969,6 @@
 		<commons_io_version>2.11.0</commons_io_version>
 		<commons_lang3_version>3.14.0</commons_lang3_version>
 		<com_jamesmurty_utils_version>1.2</com_jamesmurty_utils_version>
-		<!-- Note: Derby is held to 10.15.x deliberately, as the 10.17+ version requires Java 21 to build -->
-		<derby_version>10.15.2.0</derby_version>
 		<error_prone_core_version>2.23.0</error_prone_core_version>
 		<mockito_version>5.8.0</mockito_version>
 		<nullaway_version>0.7.9</nullaway_version>
@@ -1507,31 +1505,6 @@
 				<artifactId>commons-text</artifactId>
 				<version>${commons_text_version}</version>
 			</dependency>
-			<dependency>
-				<groupId>org.apache.derby</groupId>
-				<artifactId>derby</artifactId>
-				<version>${derby_version}</version>
-			</dependency>
-			<dependency>
-				<groupId>org.apache.derby</groupId>
-				<artifactId>derbynet</artifactId>
-				<version>${derby_version}</version>
-			</dependency>
-			<dependency>
-				<groupId>org.apache.derby</groupId>
-				<artifactId>derbyclient</artifactId>
-				<version>${derby_version}</version>
-			</dependency>
-			<dependency>
-				<groupId>org.apache.derby</groupId>
-				<artifactId>derbyshared</artifactId>
-				<version>${derby_version}</version>
-			</dependency>
-			<dependency>
-				<groupId>org.apache.derby</groupId>
-				<artifactId>derbytools</artifactId>
-				<version>${derby_version}</version>
-			</dependency>
 			<dependency>
 				<groupId>org.apache.httpcomponents</groupId>
 				<artifactId>httpclient</artifactId>
@@ -2690,6 +2663,7 @@
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-checkstyle-plugin</artifactId>
 				<inherited>true</inherited>
+				<version>${maven_checkstyle_version}</version>
 			</plugin>
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>