chore(deps): update ghcr.io/datasharingframework/bpe docker tag to v2

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
ghcr.io/datasharingframework/bpe	final	major	1.9.0 → 2.0.1

---

Release Notes

datasharingframework/dsf (ghcr.io/datasharingframework/bpe)

v2.0.1: 2.0.1 - Maintenance Release

Compare Source

General remarks:

• This is an update for DSF 2.0.0. A description of changes between the 1.9.0 and 2.0.0 releases can be found in the 2.0.0 release notes.
• To Update from an existing 1.x installation, please see the 1.x -> 2.0.1 Upgrade Guide.
• To Update from an existing 2.x installation, please see the 2.x -> 2.0.1 Upgrade Guide.
• For a fresh deployment, follow the installation instructions.
• With this release a startup bug related to ECC client certificate was fixed.

Bug Fixes:

• Starting the DSF 2.0.0 FHIR or BPE server with an ECC client certificate without keyEncipherment extension, resulted in a First certificate from '...' not a client certificate error (#​405). The requirement for the keyEncipherment extension was removed with this release.

Docker images for this release can be accessed via the GitHub Docker registry - ghcr.io:

• bpe: ghcr.io/datasharingframework/bpe:2.0.1
• bpe_proxy: ghcr.io/datasharingframework/bpe_proxy:2.0.1
• fhir: ghcr.io/datasharingframework/fhir:2.0.1
• fhir_proxy: ghcr.io/datasharingframework/fhir_proxy:2.0.1

Process Plugin API v1 on Maven Central:

<dependency>
    <groupId>dev.dsf</groupId>
    <artifactId>dsf-bpe-process-api-v1</artifactId>
    <version>2.0.1</version>
</dependency>

Process Plugin API v2 on Maven Central:

<dependency>
    <groupId>dev.dsf</groupId>
    <artifactId>dsf-bpe-process-api-v2</artifactId>
    <version>2.0.1</version>
</dependency>

DSF Maven Plugin on Maven Central:

<plugin>
    <groupId>dev.dsf</groupId>
    <artifactId>dsf-maven-plugin</artifactId>
    <version>2.0.1</version>
</plugin>

Issues closed:

• Start New Development Cycle #​406
• DSF Fails to Start with Certain ECC Client Certificates #​405

This release contains contributions from @​hhund and @​schwzr.

v2.0.0: 2.0.0 - Major Release

Compare Source

General remarks:

• This is the 2.0.0 major release of the DSF. DSF installations in version 1.9.0 can be upgraded to this release.
• To Update an existing 1.x installation, please see the 1.9.0 -> 2.0.0 upgrade guide.
• For a fresh deployment, follow the installation instructions.
• A list of compatible process plugins can be found in the plugin install guide.

Feature Summary:

• With the 2.0.0 release the workflow engine for the DSF BPE Server was migrated from Camunda 7 to the community-driven, open-source BPMN engine Operaton. The migration includes a byte-code rewriting layer that allows existing v1 process plugins compiled against Camunda classes to continue running without recompilation.
• The release includes a new Process Plugin API v2, offering cleaner abstractions, new services and expanded metadata. The API introduces foundational support for FHIR validation services (planned to be fully activated in 2.1) and provides utilities such as data encryption, compression and new logging facilities. Using the new FHIR server connections API, credentials for local FHIR data servers can be shared between process plugins, with password, mTLS and OIDC based authentication supported.
• Default FHIR profiles for all supported resources have been created for version 2.0.0 on the DSF FHIR Server, with automated data-migration to ensure compliance for existing installations. The authorization system now supports fine-grained, resource-specific roles and enhanced practitioner-based access control for Task and QuestionnaireResponse resources. Internal optimizations improve performance for Binary resources with a new size limit of resources constraint by PostgreSQL's 4TB limit of Large Objects (limits of forwarding- and reverse-proxies for uploads may be smaller).
• Finally, the user experience has been modernized with a more responsive layout and a new statistics panels on the FHIR server visible to administrators. Extensive configuration cleanup and unified logging controls simplify administration across both the BPE and FHIR servers.
• The DSF 2.0.0 code-base was upgraded to Java 25 and uses latest versions of Jetty and HAPI. A new dsf-maven-plugin was created to automate build steps and help process plugins developers in generating configuration documentation and docker-compose based DSF development setups.

Docker images for this release can be accessed via the GitHub Docker registry - ghcr.io:

• bpe: ghcr.io/datasharingframework/bpe:2.0.0
• bpe_proxy: ghcr.io/datasharingframework/bpe_proxy:2.0.0
• fhir: ghcr.io/datasharingframework/fhir:2.0.0
• fhir_proxy: ghcr.io/datasharingframework/fhir_proxy:2.0.0

Process Plugin API v1 on Maven Central:

<dependency>
    <groupId>dev.dsf</groupId>
    <artifactId>dsf-bpe-process-api-v1</artifactId>
    <version>2.0.0</version>
</dependency>

Process Plugin API v2 on Maven Central:

<dependency>
    <groupId>dev.dsf</groupId>
    <artifactId>dsf-bpe-process-api-v2</artifactId>
    <version>2.0.0</version>
</dependency>

DSF Maven Plugin on Maven Central:

<plugin>
    <groupId>dev.dsf</groupId>
    <artifactId>dsf-maven-plugin</artifactId>
    <version>2.0.0</version>
</plugin>

Issues closed:

• 1.9.0 to 2.0.0 Transition #​400
• Fix 2.0.0-RC2 Bugs #​397
• Add New D-Trust Server Certificate Root CAs #​395
• Fix 2.0.0-RC1 Bugs #​393
• Add Licence Headers #​391
• Improve FHIR Server UI #​388
• Delete dsf-fhir-auth and Move Code to dsf-fhir-server #​387
• Upgrade to PostgreSQL 18 #​385
• Rename Test-Setups to Dev-Setups #​383
• Add Methods for Additional Metadata to v2 ProcessPluginDefinition #​382
• Add FHIR Profiles for All Supported Resource Types #​378
• Allow Updates to Output Parameters of in-progress Tasks via Plugin API #​373
• Add Service to Validate FHIR Resources via Plugin API #​372
• Improve User to Task and QuestionnaireResponse Association #​367
• Extended FHIR Server User Role Config - Role Per Resource #​365
• Migrate Camunda 7 to Operaton 1 #​353
• Add Service With Data Compression Functions to Plugin API #​349
• Simplify Prototype Scoped Bean Definition for BPMN Activities #​347
• Runtime Access to ProcessPluginDefinition via API #​346
• Properly Display FHIR Duration Type in DSF FHIR Server UI #​344
• Add Library.content to HTML View #​341
• Simplify Specification of Name, Version and Release-Date of Process Plugins Using Values From Maven pom #​338
• DSF Maven Plugin: Add ability to generate .password-files #​332
• Add Validation Support for Process Plugins #​331
• Add DocumentReference HTML View #​325
• Improve Allow-List and Enable Thumbprints on Endpoint Resources #​317
• Reorganize dsf-tools Modules #​315
• Extend dsf-tools-documentation-generator Maven Plugin for v2 Process Plugins #​309
• Create Target Provider #​307
• Upgrade Dependencies #​301
• Upgrade to HAPI 8.0.0 #​297
• Optimize FHIR Binary Resource Handling #​296
• Add Mechanism to the API for Modifying Process Plugin FHIR Resources During Startup #​292
• Remove Camunda Dependency from Process Plugin API v2 #​284
• Validator Ignores CodeSystem Version #​281
• Add BPE Integration Tests #​271
• Add Mechanism to Manage Connections to Local FHIR Servers #​270
• Port Fixes and Features From 1.7.0 to 2.0.0 #​268
• Complete Class and Resource Allow Lists for ProcessPluginApiClassLoader #​241
• Port Fixes and Features From 1.6.0 to 2.0.0 #​239
• Add Methods for Accessing "Local" BPMN Variables to the Plugin API #​210
• Add Service to Log Debug Information Including Context Information via Plugin API #​209
• Add Service to Log Sensitive Data if Enabled via Plugin API #​208
• Add Service to Access Trusted Certificate Authorities via Plugin API #​207
• Add Service to Encrypt and Decrypt Binary Data via Plugin API #​206
• Add Service to Check Mime-Type of Binary Data via Plugin API #​205
• Add Default Trusted Certificate Authorities to Docker Images #​204
• Upgrade to Jetty 12 #​203
• Upgrade to Java 25 #​202
• Web Application Style Class Loading for Process Plugins #​201
• Create API v2 Maven Module #​200
• Process Plugin API v2 #​197
• Don't require DEV_DSF_FHIR_SERVER_ORGANIZATION_THUMBPRINT #​177
• Add Constants for organization-role and practitioner-role CodeSystems #​81
• Improve DefaultUserTaskListener #​78

This release contains contributions from @​alexanderkiel, @​EmteZogaf, @​hhund, @​jaboehri, @​MadMax93, @​schwzr and @​wetret.

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

✅⚠️MegaLinter analysis: Success with warnings

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	6		0	0	0.04s
✅ DOCKERFILE	hadolint	8		0	0	0.47s
✅ EDITORCONFIG	editorconfig-checker	51		0	0	0.03s
✅ JSON	jsonlint	6		0	0	0.15s
✅ JSON	prettier	6		0	0	0.58s
✅ JSON	v8r	6		0	0	7.54s
⚠️ MARKDOWN	markdownlint	9		6	0	1.02s
✅ REPOSITORY	checkov	yes		no	no	23.97s
✅ REPOSITORY	gitleaks	yes		no	no	0.44s
✅ REPOSITORY	git_diff	yes		no	no	0.03s
⚠️ REPOSITORY	kics	yes		no	2	3.92s
✅ REPOSITORY	secretlint	yes		no	no	1.73s
✅ REPOSITORY	syft	yes		no	no	9.21s
⚠️ REPOSITORY	trivy	yes		8	2	12.73s
✅ REPOSITORY	trivy-sbom	yes		no	no	1.62s
✅ REPOSITORY	trufflehog	yes		no	no	13.96s
✅ YAML	prettier	9		0	0	0.51s
✅ YAML	v8r	9		0	0	7.89s
✅ YAML	yamllint	9		0	0	0.51s

Detailed Issues

⚠️ REPOSITORY / kics - 2 warnings

warning: The 'Dockerfile' contains the 'chown' flag
   ┌─ images/ml-on-fhir/Dockerfile:43:1
   │
43 │ COPY --chown=${NB_UID}:${NB_GID} requirements.txt /tmp/
   │ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   │
   = Chown Flag Exists
   = It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership

warning: The 'Dockerfile' contains the 'chown' flag
   ┌─ images/hive-metastore/Dockerfile:30:1
   │
30 │ COPY --from=downloader --chown=0:0 /tmp/libs/*.jar /opt/hive/lib/
   │ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   │
   = Chown Flag Exists
   = It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership

warning: 2 warnings emitted

⚠️ MARKDOWN / markdownlint - 6 errors

images/dsf-bpe-full/CHANGELOG.md:133 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "### Description"]
images/dsf-bpe-full/CHANGELOG.md:136 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "### Versions:"]
images/dsf-bpe-full/CHANGELOG.md:136:13 MD026/no-trailing-punctuation Trailing punctuation in heading [Punctuation: ':']
images/dsf-bpe-full/CHANGELOG.md:137 MD032/blanks-around-lists Lists should be surrounded by blank lines [Context: "* DFN CA certificate chain fro..."]
images/dsf-bpe-full/CHANGELOG.md:143:31 MD039/no-space-in-links Spaces inside link text [Context: "["MII Data Transfer" process ]"]
images/dsf-bpe-full/CHANGELOG.md:144:30 MD039/no-space-in-links Spaces inside link text [Context: "["MII Data Sharing" process ]"]

⚠️ REPOSITORY / trivy - 8 errors

error: Package: glob
Installed Version: 10.4.5
Vulnerability CVE-2025-64756
Severity: HIGH
Fixed Version: 11.1.0, 10.5.0
Link: [CVE-2025-64756](https://avd.aquasec.com/nvd/cve-2025-64756)
     ┌─ images/semantic-release/package-lock.json:4800:1
     │  
4800 │ ╭     "node_modules/npm/node_modules/node-gyp/node_modules/glob": {
4801 │ │       "version": "10.4.5",
4802 │ │       "inBundle": true,
4803 │ │       "license": "ISC",
     · │
4817 │ │       }
4818 │ │     },
     │ ╰^
     │  
     = glob: glob: Command Injection Vulnerability via Malicious Filenames
     = Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

error: Package: glob
Installed Version: 11.0.3
Vulnerability CVE-2025-64756
Severity: HIGH
Fixed Version: 11.1.0, 10.5.0
Link: [CVE-2025-64756](https://avd.aquasec.com/nvd/cve-2025-64756)
     ┌─ images/semantic-release/package-lock.json:4202:1
     │  
4202 │ ╭     "node_modules/npm/node_modules/glob": {
4203 │ │       "version": "11.0.3",
4204 │ │       "inBundle": true,
4205 │ │       "license": "ISC",
     · │
4222 │ │       }
4223 │ │     },
     │ ╰^
     │  
     = glob: glob: Command Injection Vulnerability via Malicious Filenames
     = Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

warning: Package: js-yaml
Installed Version: 4.1.0
Vulnerability CVE-2025-64718
Severity: MEDIUM
Fixed Version: 4.1.1, 3.14.2
Link: [CVE-2025-64718](https://avd.aquasec.com/nvd/cve-2025-64718)
     ┌─ images/semantic-release/package-lock.json:2874:1
     │  
2874 │ ╭     "node_modules/js-yaml": {
2875 │ │       "version": "4.1.0",
2876 │ │       "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz",
2877 │ │       "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==",
     · │
2884 │ │       }
2885 │ │     },
     │ ╰^
     │  
     = js-yaml: js-yaml prototype pollution in merge
     = js-yaml is a JavaScript YAML parser and dumper. In js-yaml 4.1.0 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).

error: Package: tar
Installed Version: 7.5.1
Vulnerability CVE-2026-23745
Severity: HIGH
Fixed Version: 7.5.3
Link: [CVE-2026-23745](https://avd.aquasec.com/nvd/cve-2026-23745)
     ┌─ images/semantic-release/package-lock.json:5408:1
     │  
5408 │ ╭     "node_modules/npm/node_modules/tar": {
5409 │ │       "version": "7.5.1",
5410 │ │       "inBundle": true,
5411 │ │       "license": "ISC",
     · │
5421 │ │       }
5422 │ │     },
     │ ╰^
     │  
     = node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails t ...
     = node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.

warning: Package: tar
Installed Version: 7.5.1
Vulnerability CVE-2025-64118
Severity: MEDIUM
Fixed Version: 7.5.2
Link: [CVE-2025-64118](https://avd.aquasec.com/nvd/cve-2025-64118)
     ┌─ images/semantic-release/package-lock.json:5408:1
     │  
5408 │ ╭     "node_modules/npm/node_modules/tar": {
5409 │ │       "version": "7.5.1",
5410 │ │       "inBundle": true,
5411 │ │       "license": "ISC",
     · │
5421 │ │       }
5422 │ │     },
     │ ╰^
     │  
     = node-tar has a race condition leading to uninitialized memory exposure
     = node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.

error: Artifact: images/apache-superset/Dockerfile
Type: dockerfile
Vulnerability DS017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS017](https://avd.aquasec.com/misconfig/ds017)
   ┌─ images/apache-superset/Dockerfile:8:1
   │  
 8 │ ╭ RUN <<EOF
 9 │ │ set -e
10 │ │ apt-get update -y
11 │ │ apt-get install -y --no-install-recommends alien libaio-dev libaio1 unzip wget
   · │
16 │ │ rm oracle-instantclient-basic-23.6.0.24.10-1.el9.x86_64.rpm
17 │ │ EOF
   │ ╰^
   │  
   = 'RUN <package-manager> update' instruction alone
   = The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.

error: Artifact: images/coder-base/Dockerfile
Type: dockerfile
Vulnerability DS017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS017](https://avd.aquasec.com/misconfig/ds017)
   ┌─ images/coder-base/Dockerfile:14:1
   │  
14 │ ╭ RUN <<EOF
15 │ │ apt-get update
16 │ │ xargs -r -a /tmp/setup/packages.txt apt-get install -y --no-install-recommends
17 │ │ 
   · │
27 │ │ useradd coder --create-home --shell=/bin/bash --uid=10001 --user-group
28 │ │ EOF
   │ ╰^
   │  
   = 'RUN <package-manager> update' instruction alone
   = The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.

error: Artifact: images/hive-metastore/Dockerfile
Type: dockerfile
Vulnerability DS017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS017](https://avd.aquasec.com/misconfig/ds017)
   ┌─ images/hive-metastore/Dockerfile:20:1
   │  
20 │ ╭ RUN <<EOF
21 │ │ chown -R 1000:1000 /opt/hive
22 │ │ apt-get update
23 │ │ apt-get upgrade -y
   · │
27 │ │ rm -rf /var/lib/apt/lists/*
28 │ │ EOF
   │ ╰^
   │  
   = 'RUN <package-manager> update' instruction alone
   = The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.

error: Artifact: images/ml-on-fhir/Dockerfile
Type: dockerfile
Vulnerability DS017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS017](https://avd.aquasec.com/misconfig/ds017)
   ┌─ images/ml-on-fhir/Dockerfile:8:1
   │  
 8 │ ╭ RUN <<EOF
 9 │ │ apt-get -y update
10 │ │ apt-get install --no-install-recommends -y openjdk-17-jre-headless
11 │ │ rm -rf /var/lib/apt/lists/*
12 │ │ EOF
   │ ╰^
   │  
   = 'RUN <package-manager> update' instruction alone
   = The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.

error: Artifact: images/semantic-release/Dockerfile
Type: dockerfile
Vulnerability DS017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS017](https://avd.aquasec.com/misconfig/ds017)
   ┌─ images/semantic-release/Dockerfile:10:1
   │  
10 │ ╭ RUN <<EOF
11 │ │ apt-get update
12 │ │ apt-get install --no-install-recommends -y git bash
13 │ │ apt-get clean
14 │ │ rm -rf /var/lib/apt/lists/*
15 │ │ EOF
   │ ╰^
   │  
   = 'RUN <package-manager> update' instruction alone
   = The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.

warning: 2 warnings emitted
error: 8 errors emitted

See detailed reports in MegaLinter artifacts

You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:

• oxsecurity/megalinter/flavors/terraform@v9.2.0 (54 linters)
• oxsecurity/megalinter/flavors/cupcake@v9.2.0 (88 linters)

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.2.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,EDITORCONFIG_EDITORCONFIG_CHECKER,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

[github-actions]

Trivy image scan report

ghcr.io/miracum/util-images/dsf-bpe-full:pr-414 (ubuntu 22.04)

10 known vulnerabilities found (CRITICAL: 0 HIGH: 1 MEDIUM: 8 LOW: 1)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
gpgv	CVE-2025-68973	HIGH	2.2.27-3ubuntu2.4	2.2.27-3ubuntu2.5
libpng16-16	CVE-2025-64505	MEDIUM	1.6.37-3build5	1.6.37-3ubuntu0.1
libpng16-16	CVE-2025-64506	MEDIUM	1.6.37-3build5	1.6.37-3ubuntu0.1
libpng16-16	CVE-2025-64720	MEDIUM	1.6.37-3build5	1.6.37-3ubuntu0.1
libpng16-16	CVE-2025-65018	MEDIUM	1.6.37-3build5	1.6.37-3ubuntu0.1
libpng16-16	CVE-2025-66293	MEDIUM	1.6.37-3build5	1.6.37-3ubuntu0.3
libpng16-16	CVE-2026-22695	MEDIUM	1.6.37-3build5	1.6.37-3ubuntu0.3
libpng16-16	CVE-2026-22801	MEDIUM	1.6.37-3build5	1.6.37-3ubuntu0.3
libtasn1-6	CVE-2025-13151	MEDIUM	4.18.0-4ubuntu0.1	4.18.0-4ubuntu0.2
libtasn1-6	CVE-2021-46848	LOW	4.18.0-4ubuntu0.1	4.18.0-4ubuntu0.2

No Misconfigurations found

Java

32 known vulnerabilities found (CRITICAL: 9 HIGH: 17 MEDIUM: 5 LOW: 1)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
ca.uhn.hapi.fhir:org.hl7.fhir.convertors	CVE-2023-24057	CRITICAL	5.1.0	5.6.92
ca.uhn.hapi.fhir:org.hl7.fhir.convertors	CVE-2023-28465	HIGH	5.1.0	5.6.106
ca.uhn.hapi.fhir:org.hl7.fhir.convertors	CVE-2024-51132	HIGH	5.1.0	6.4.0
ca.uhn.hapi.fhir:org.hl7.fhir.r4	CVE-2024-45294	HIGH	5.1.0	6.3.23
ca.uhn.hapi.fhir:org.hl7.fhir.r4	CVE-2024-51132	HIGH	5.1.0	6.4.0
ca.uhn.hapi.fhir:org.hl7.fhir.r4	CVE-2024-52007	HIGH	5.1.0	6.4.0
ca.uhn.hapi.fhir:org.hl7.fhir.r5	CVE-2023-24057	CRITICAL	5.1.0	5.6.92
ca.uhn.hapi.fhir:org.hl7.fhir.r5	CVE-2023-28465	HIGH	5.1.0	5.6.106
ca.uhn.hapi.fhir:org.hl7.fhir.r5	CVE-2024-45294	HIGH	5.1.0	6.3.23
ca.uhn.hapi.fhir:org.hl7.fhir.r5	CVE-2024-51132	HIGH	5.1.0	6.4.0
ca.uhn.hapi.fhir:org.hl7.fhir.r5	CVE-2024-52007	HIGH	5.1.0	6.4.0
ca.uhn.hapi.fhir:org.hl7.fhir.utilities	CVE-2023-24057	CRITICAL	5.1.0	5.6.92
ca.uhn.hapi.fhir:org.hl7.fhir.utilities	CVE-2023-28465	HIGH	5.1.0	5.6.106
ca.uhn.hapi.fhir:org.hl7.fhir.utilities	CVE-2024-45294	HIGH	5.1.0	6.3.23
ca.uhn.hapi.fhir:org.hl7.fhir.utilities	CVE-2024-51132	HIGH	5.1.0	6.4.0
ca.uhn.hapi.fhir:org.hl7.fhir.utilities	CVE-2024-52007	HIGH	5.1.0	6.4.0
ca.uhn.hapi.fhir:org.hl7.fhir.validation	CVE-2023-24057	CRITICAL	5.1.0	5.6.92
ca.uhn.hapi.fhir:org.hl7.fhir.validation	CVE-2023-28465	HIGH	5.1.0	5.6.106
ca.uhn.hapi.fhir:org.hl7.fhir.validation	CVE-2024-51132	HIGH	5.1.0	6.4.0
com.google.guava:guava	CVE-2023-2976	MEDIUM	29.0-jre	32.0.0-android
com.google.guava:guava	CVE-2020-8908	LOW	29.0-jre	32.0.0-android
com.nimbusds:nimbus-jose-jwt	CVE-2025-53864	MEDIUM	9.37.3	10.0.2, 9.37.4
net.minidev:json-smart	CVE-2024-57699	HIGH	2.5.1	2.5.2
org.apache.commons:commons-lang3	CVE-2025-48924	MEDIUM	3.9	3.18.0
org.apache.commons:commons-text	CVE-2022-42889	CRITICAL	1.7	1.10.0
org.apache.httpcomponents:httpclient	CVE-2020-13956	MEDIUM	4.5.12	4.5.13, 5.0.3
org.apache.logging.log4j:log4j-core	CVE-2025-68161	MEDIUM	2.25.2	2.25.3
org.apache.tika:tika-core	CVE-2025-66516	CRITICAL	2.9.2	3.2.2
org.apache.tika:tika-core	CVE-2025-66516	CRITICAL	2.9.2	3.2.2
org.apache.tika:tika-core	CVE-2025-66516	CRITICAL	2.9.2	3.2.2
org.apache.tika:tika-core	CVE-2025-66516	CRITICAL	2.9.2	3.2.2
org.fhir:ucum	CVE-2024-55887	HIGH	1.0.2	1.0.9

No Misconfigurations found