Upgrade to JDK 17 and other related version upgrades

[vivekmittal07]

We need to upgrade the spring-boot.version from 2.7.5 to 3.0.6.
This requires us to upgrade to java17.

We should also make all other upgrade PRs created by dependabot

[bashir2]

Just to add some context here: Beside dealing with the usual dependabot alerts/PRs for version upgrades, another motivation for Spring version upgrade is this security vulnerability which is CVE-2016-1000027. I have not investigated the details but if switching to Spring 6+ is a major issue (e.g., for our usage of HAPI) then we may want to look at details of the vulnerability and decide whether to do the upgarde or not.

[bashir2]

BTW, @vivekmittal07 the issues that you are facing with HAPI might be due to the javax to jakarta namespace migration as described here.

[vivekmittal07]

Thanks Bashir!

Issue after upgrading the dependency - None of the servlets seem to be loading. For any FHIR endpoint server throws Not Found exception.

@bashir2 Like you mentioned the issue is due to migration to jakarta namespace.
There is an open issue on HAPI Fhir server for this - hapifhir/hapi-fhir#2082
There is significant interest in the community and they should update the timelines soon - hapifhir/hapi-fhir#2082 (comment)

Till this is fixed I think we can't upgrade the spring version. I will look at the vulnerability and see if this impacts us and what are the mitigation steps.

[vivekmittal07]

This vulnerability was found in the Spring Remoting technologies -
spring-projects/spring-framework#25379
https://docs.spring.io/spring-framework/docs/3.2.0.M2/reference/html/remoting.html

They seem to have deprecated the following packages - spring-projects/spring-framework#25379 (comment)

HAPI should not be using any of these remoting technologies as it just provides a framework to create a FHIR server.
To confirm I downloaded the HAPI source code and ran the following to look for any import dependancy on the impacted libraries -

• grep "org.springframework.remoting" -R .
• grep "org.springframework.jms.remoting" -R .
  There were no references in the source code.

Search for "phasing out serialization-based remoting" in https://docs.spring.io/spring-framework/docs/5.3.15/javadoc-api/deprecated-list.html. This shows list of impacted packages.
Above search looks for dependency on these packages.

I think it is safe to say that the vulnerability doesn't affect us.
@bashir2 Ptal and let me know what you think.

[vivekmittal07]

We cannot migrate to new spring version unless Hapi does the migration - hapifhir/hapi-fhir#2082
The vulnerability reported in Spring should not affect as explained in #155 (comment).

We will not do the migration to new Spring version.

[bashir2]

Reopening this issue to revisit once HAPI does the same upgrade (details).

[bashir2]

Now that hapifhir/hapi-fhir#2082 is fixed and HAPI 7.0 is released we should do the various version upgrades mentioned in this issue (that were blocked before).