============================================================================= Run Date: JUN 25, 2024 Designation: EDP*2*19 Package : EDP - EMERGENCY DEPARTMENT Priority: Mandatory Version : 2 SEQ #20 Status: Released Compliance Date: JUL 26, 2024 ============================================================================= Subject: PERFORMANCE ENHANCEMENTS AND CODE VULNERABILITY FIXES Category: - Informational - Other Description: ============ Emergency Department Integration System (EDIS) patch, EDP*2.0*19, implements code vulnerability fixes reported by SonarLint tool. Also, as a part of performance enhancement, we made the resource available using static caching. This is a Java Graphical User Interface (GUI) only patch. After release, the EDIS GUI/Web Server version will be 2.2.49. 1. HDSO-5472 SonarLint fixes for EDIS-Common module (Code vulnerability Fixes) 2. HDSO-5473 Fix static resource caching (Resource optimization during Java object creation). 3. HDSO-5474 SonarLint fixes for EDIS-common-Web module (Code vulnerability Fixes). 4. HDSO-5636 Refactor the BaseDAO.convertObject method(Code refactoring to make the resource as static). 5.HDSO-5635 Refactor the ColorPallete.getColorPair method(Code refactoring to make the Color selection as a static resource). 6. HDSO-5633 Refactor VistaLinkDAO.getConnection method (Code refactoring to make the VistA connection use a static resource). 7. HDSO-6694 Government Access Message is inaccurate, and it needs to be changed. 8. HDSO-6667 An outdated link on the EDIS splash page. 9. HDSO-5590 Remove Oracle database call. 10. HDSO-6629 Fortify finding - XML External Entity Injection. 11. HDSO-7903 Update EDIS login screen site selection drop down. Patch Components: ----------------- Files & Fields Associated: N/A File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- N/A Forms Associated: Form Name File Number New/Modified/Deleted --------- ----------- -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- N/A Additional Information: ----------------------- N/A Patient Safety Issues (PSIs): N/A Defect Tracking System Ticket(s) & Overview: 1. HDSO-5472 -SonarLint fixes for EDIS-Common module Problem: -------- The Java code for EDIS-Common module has vulnerabilities from security perspective as reported by tool called SonarLint. Resolution: ----------- We refactored the code as per SonarLint guidelines to make it vulnerability free. 2. HDSO-5473 Fix static resource caching Problem: -------- The java code on Persistence layer and web layer was using resources without taking the advantage of static cache. Resolution: ----------- Updated the code to use the resource in a static manner such that it will not be initialized per every request rather it initializes once and all request will consume that resource from Static pool. 3. HDSO-5474 SonarLint fixes for EDIS-common-Web module Problem: -------- The Java code for EDIS-Common-Web module has vulnerabilities from security perspective as reported by tool called SonarLint. Resolution: ----------- We refactored the code as per SonarLint guidelines to make it vulnerability free. 4. HDSO-5636: Refactor the BaseDAO.convertObject method Problem: -------- The convertObject method was parsing Extensible Markup Language (XML) object using DocumentBuilder object. The DocumentBuilder object was instantiated for every single request. Resolution: ----------- We updated the code such that it instantiates just once using Static approach and utilize that static object for every other request. 5. HDSO-5635: Refactor the ColorPallete.getColorPair() method. Problem: -------- The getColorPair() method was using Java Pattern regular expression (regex) for every single call that was occupying memories a lot. Resolution: ----------- Update the code to make the pattern using Java Predicate as a static that way the time for checking the color pattern will be minimal. 6. HDSO-5633 Refactor VistaLinkDAO.getConnection method. Problem: -------- The getConnection () method was initializing the VistA connection for every request call. Resolution: ----------- Update the code to make the connection as a static that way the time for establishing the connection with VistA will be minimal. 7. HDSO-6694 Government Access Message is inaccurate and it needs to be changed. Problem: -------- The government access message on the access/verify login page is out of date with the latest standard. Resolution: ----------- Updated the loginconfig.xml file which stores the text for the message to the newest version. 8. HDSO-6667 An outdated link on the EDIS splash page. Problem: -------- On the EDIS two factor (PIV) login page there is a link with instructions to link your PIV card to your account. The page is outdated and needs to be updated. Resolution: ----------- Changed the link to redirect to the article by it's ID instead of using the Uniform Resource Locator (URL). This should prevent future updates to the page from showing out of date. 9. HDSO-5590: Remove Oracle database call. Problem: -------- During login, when we populate Institution, we should not be fetching from Source Dependent Data Store (SDS) Oracle Database, instead we fetch it from login Configuration xml file. Resolution: ----------- During login, we check a switch "SDS enabled". If it is false, we read from Configuration.xml file. Otherwise, read it from the database. 10. HDSO-6629 Fortify finding - XML External Entity Injection. Problem: -------- After the development of EDIS patch EDP*2*28 a new security vulnerability was detected by Fortify security software. Resolution: ----------- With the refactoring of the BaseDAO object included in this patch the vulnerability was resolved. 11. HDSO-7903 Update EDIS login screen site selection drop down. Problem: -------- NEMO has requested that the site be displayed in the drop down in the following pattern - Site Code - Site Name. Resolution: ----------- EDIS GUI code and login config xml file have been updated to hide the station number from appearing at the end of the site name. Test Sites: ----------- Chicago HealthCare System, Chicago, IL Heartland West HealthCare System, Kansas City, MO SNOW Change Order#: ------------------- CHG0494805 Software and Documentation Retrieval Instructions: -------------------------------------------------- The software for this patch is being deployed by the IO Enterprise Server Support Team. Documentation describing the new functionality is not included in this Release. Documentation Title File Name --------------------------------------------------------------------- N/A Patch Installation: ------------------- Pre/Post Installation Overview: Austin Information Technology Center (AITC) performs patch installation on a centralized web server. EDIS is a java-based web application build. This is a centralized server promotion. No installation is required at local sites. Pre-Installation Instructions: This patch may be installed with users on the system although it is recommended that it be installed during non-peak hours to minimize potential disruption to users. However, no installation is required at local sites. Installation Instructions: N/A Post-Installation Instructions: N/A Back-Out/Roll Back Plan: ------------------------ Backout plan is provided as part of deployment instructions provided to AITC. No actions are required of local sites in the event of back-out/roll back. Routine Information: ==================== No routines included. ============================================================================= User Information: Entered By : Date Entered : JUN 24, 2022 Completed By: Date Completed: JUN 25, 2024 Released By : Date Released : JUN 25, 2024 ============================================================================= Packman Mail Message: ===================== No routines included