BQ-14474

CVE-2021-43797 & CVE-2021-23463 are reported on the runtime

CVE-2021-43797 concerns a Netty library which was updated to the latest version in which the CVE is resolved. CVE-2021-23463 concerns H2, which we only ship with the development-tools component. This component is meant to be used for development and not for production. H2 can also be used as a database backend, but this is strongly discouraged in production environments. So we have not updated the H2 library as production is unaffected.

CSD-3970

JAVA Runtime

When importing a profile.xml using the XmlConverter an exception is thrown when loading an already existing singleton entity instance.

This was a regression which occurred after the resolution of CSD-3923. When importing a profile.xml into a prefilled profile the existing singletons will be used, otherwise the imported profile instance will be used.

CSD-3912

The inability to find a qualified name when importing a WSDL would omit the qualified name, making it hard to debug the issue.

The qualified name that could not be found is now included in the log.

CSD-3941

JAVA Runtime

Fields did not properly supported domains with invalid domain options

Corrected the code to handle invalid domain options in the correct way

CSD-3931

Importing a branch export from a Studio version older than R13 could fail if it contains external libraries that require a migration.

When an older branch export is imported into a newer Studio version, any external libraries are now correctly migrated as well.

CSD-3930

When an inline field is present on a page, the generation of a document using the document plugin would fail

Inline fields no longer cause the document generation plugin to fail

BQ-13951

When a timer or due date was set to reevaluate on domain change, and on reevaluation it would yield an unknown date, an exception was thrown and process evaluation halted.

When the timer or due date is evaluated to unknown on domain change, it is ignored. A warning is logged to alert that probably something is wrong in the domain model.

CSD-3869

Values in a MappedJustificationTree that were already visited during the traversal of the justificationTree were added as a duplicate entry in the MappedJustificationTree leading to unnecessary memory usage.

Visited nodes are now cached and reused if they are visited more than once.

BQ-13195

For BAA(R)S endpoints that have a shortcut, the test path would always be read from the HTTP request, even in production mode. Test Paths are a development only feature.
If test path properties were present for the shortcut of the BAA(R)S, an attacker could provide a X-Blueriq-TestPath header and a different branch than the intended branch would be used to execute the BAA(R)S service.

Test path properties will now be ignored when running Blueriq Runtime in Production Mode.