Snow Owl v9.8.0

Core

• lexical concept suggester is now generally available (#1417, #1418)

  • This suggester uses an improved and accurate keyword matching strategy than the term suggester
  • Ensures that scores are always in the 0..1 range where 1.0 is usually an exact, high confidence match, while values closer to zero are less confident matches
  • In case matches would receive the same scores the system will sort them by term length, shorter to longer

• Restore some missing terminology resource upgrade related capabilities from 7.x (#1411)

  • Introduce upgradeInfo expandable property on upgradeOf scoped dependencies

• Job Schema Upgrades (#1417)

  • Add a type property that can be used to filter job types based on the executed request hierarchy
  • Job async execution context is now behaving the same as sync request execution context

SNOMED CT

• Improved namespace related information management in SNOMED CT CodeSystem resources (#1401)
  • namespace setting is the 7 digit namespace identifier assigned for a SNOMED CT Extension
  • namespaceConceptId are the actual conceptId holding the identifier in its description

Security

• Mitigate security vulnerabilities: CVE-2025-41248, CVE-2025-41249, CVE-2025-41242, CVE-2025-58751, CVE-2025-58752, CVE-2025-58754

Bugs/Improvements

• [index] support min_score clauses when executing an Elasticsearch query (bc9101f)
• [core] fixed an issue where invalid authentication token can bypass the authentication verification and can result in a HTTP 500 error later (e61d60a)
• [snomed] ensure that module dependency conflicts get auto-resolved during upgrades (#1402)
• [api] prevent empty dependencies array from materialization when retrieving a resource without selecting the dependencies field (4de14be)
• [api] resolve some OpenAPI specification consumption issues by improving the generated spec (#1404)
• [fhir] includeDesignations now properly returns all designations for a concept and also display proper labels for acceptability and type values (#1422)
• [build] exclude org.hl7.fhir and subpackages from jacoco code coverage (32589d4)

Dependencies

• Bump Jackson to 2.19.2
• Bump Spring to 6.2.11
• Bump Spring Security to 6.5.5
• Bump SpringDoc to 2.8.13
• Bump Swagger to 2.2.36

Snow Owl v9.7.2

Bugs/Improvements

• [index] resolve upgrade issue with no longer applicable revisions considered during revision compare (#1398)
• [core] additional term filter (regex, wildcard) infrastructure for request API implementors (#1397)
• [api] ensure that large zip files properly get uploaded without making them broken (#1394)
• [log] support JSON log formatting via logback logstash encoder (#1395)

Security

• GHSA-xffm-g5w8-qvg7, CVE-2025-7783, CVE-2025-48924, CVE-2025-22233, CVE-2025-41234 (#1400) and many others via Eclipse and Jetty upgrade (#1394)

Dependencies

• Eclipse Platform to 4.35 (2025-03)
• Bump Jetty to 12.0.21
• Bump EMF to 2.42.0
• Bump Xtext to 2.38.0
• Bump Bouncycastle to 1.80.0
• Bump SLF4J to 2.0.16 and Logback to 1.5.16
• Bump OWLAPI to 4.5.27.b2i and Protege to 5.0.8.b2i
• Bump fastutil to 8.5.16
• FHIR Core to 0.3.2
• Bump Spring to 6.2.9
• Bump Spring Security to 6.5.2
• Bump SpringDoc to 2.8.9
• Bump Swagger to 2.2.30
• Bump micrometer to 1.14.9
• Bump Apache Commong Lang3 to 3.18.0
• Bump AssertJ to 3.27.3

Snow Owl v9.7.1

Bugs/Improvements

• [snomed] fixed an issue where persisting certain changes from a server-side Groovy script could lead to missing authorization token issues (#1391)
• [snomed] fix an issue where exporting a SNOMED CT References to DSV format could result in incorrectly formatted export when a given concept does not have a value for a selected property (#1387)
• [snomed] fix a potential NPE when running validation rule 663 (#1389)
• [snomed] fixed an issue where old concrete data type reference set members were incorrectly imported to the system in case of invalid or missing data type to refsetId configuration (#1390)

Packaging

• Update base Docker image Ubuntu version to 24.04

Dependencies

• Bump embedded Elasticsearch to 7.17.28
• Bump Elasticsearch 8 client to 8.18.0
• Bump Jackson to 2.18.3
• Bump Spring to 6.2.6
• Bump Spring Security to 6.4.5
• Bump Spring Boot to 3.4.5
• Bump SpringDoc to 2.8.6
• Bump Swagger Jakarta to 2.2.29
• Bump micrometer to 1.14.5

Snow Owl v9.7.0

Java 21

This release changes the primary Java version from 17 LTS to 21 LTS. Release packages and docker images come with a pre-installed Eclipse Temurin build.

Bugs/Improvements

• [core] ensure that suggestion context considers only matching languages when determining search corpus (590fdb6)
• [api] prevent refreshing a token issued by another server (#1374)
• [api] ensure that proper response media type is present in SNOMED CT RF2 Export endpoint (c498a5d)
• [fhir] properly response with HTTP 400 when URL is not set in CodeSystem$validate-code (395abe7)
• [fhir] support two digit versions in $versions, _format and Accept header (#1382)
• [fhir] fixed an issue where submitting an R4 ConceptMap resulted in a no class def found error (962806e)

Security

• Mitigate CVE-2025-27152, CVE-2025-27789, CVE-2024-53382, CVE-2025-31486, CVE-2025-31125, CVE-2025-30208, CVE-2025-24010, CVE-2025-25193, CVE-2025-24970, CVE-2025-22223, CVE-2025-22228 security issues

Dependencies

• Add bouncycastle 1.77.0
• Bump Elasticsearch 8 client to 8.17.3
• Bump Groovy to 3.0.24
• Bump Spring to 6.2.5
• Bump Spring Security to 6.4.4
• Bump Netty to 4.1.119.Final
• Bump Apache Commons IO to 2.18.0
• Bump FHIR Core to 0.3.1
• Bump Tycho to 4.0.12

Snow Owl v9.6.0

Core

• Allow specifying and using multiple identity providers with the same type (#1364)
  • This allows system integrators to have multiple same type identity providers (e.g. file, ldap, jwks) in the snowowl.yml configuration file
  • Snow Owl will make sure that authorization headers coming from various identity providers will be properly recognized, even if there are other same type providers present in the system

Bugs/Improvements

• [index] ensure that stop_words are not included in the top token count when suggesting concepts (ef84836)
• [index] ensure the enum type field in document mapping does not produce JSON parse errors during confict detection (#1366)
• [core] ensure that min should match based term filtering in all APIs finds exact matches and prioritizes them over other matches (ad7ba13)
• [auth] introduce a read permission operation alias for browse (#1361)
• [auth] disallow token permission abuse when refreshing a previously generated API token (#1362)
• [auth] improve error message when trying authenticate without a kid token in a jwks provider (716c406)
• [auth] ensure that unprotected requests does not respond with HTTP 401 Unauthorized when the Authorization header contains an invalid value (#1368)

Snow Owl v9.5.2

Bugs/Improvements

• [core] add syntactic sugar getSync method for millisec based timeouts (c22cf5a)

Snow Owl v9.5.0

Core

• New, improved branch locking capabilities for more reliable lock management during transactions (#1353)

FHIR

• Support RFC7240 Prefer header (#1336)
  • Prefer handling=lenient and handling=strict are supported values
  • Default behavior is lenient to keep compatibility with older systems
• Improve compatibility with BCP-47 language tags (#1339)
  • Support the official SNOMED on FHIR BCP-47 private use language tag format

SNOMED CT

• Reintroduce and improved 7.x style SNOMED CT Reference Set to DSV exporter (Java API only) (#1349, #1351)

Security

• Mitigate CVE-2024-38821, CVE-2024-47764, CVE-2024-29025, CVE-2024-47535

Bugs/Improvements

• [core] fixed an issue where certain async executed requests would not propagate authorization information properly and resulted in missing authorization token errors (#1346)
• [snomed] prevent failing RF2 imports when an existing remote job document is too large for the current Elasticsearch sizing (#1344)
• [snomed] ensure that only RF2 Delta import generate actual visited component results in the remote job index (#1344)
• [snomed] exclude irrelevant axiom types when validation SNOMED CT content based on MRCM (#1342)
• [snomed] significantly improve performance of bulk SNOMED CT component inactivations by caching association refsets and skipping zero result query executions (#1350)

Dependencies

• Upgrade fhir-core to 0.2.0 (hl7.fhir.core 6.4.0)
• Upgrade Spring to 6.2.0
• Upgrade Spring Security to 6.4.1
• Upgrade SpringDoc to 2.7.0
• Upgrade Swagger libraries to 2.2.25
• Upgrade Netty to 4.1.115.Final
• Upgrade Tycho to 4.0.10

Snow Owl v9.4.0

FHIR

• Complete support for R4, R4B and R5 formats (#1323, #1332)
  • Implementation is now based on the official HL7 Java model libraries and convertors through a thin wrapper (https://github.com/b2ihealthcare/fhir-core)
  • New GET CapabilityStatement$versions operations endpoint to list the available supported FHIR versions
  • Support for fhirVersion=4.0.1|4.3.0|5.0.0 mime-type parameter in Accept, Content-Type headers
  • Support all accepted mime-type variants in the _format query parameter as well (including versioned forms)
  • Default format is R5 for all media types
• SNOMED CT concept lookups now include a Designation extension that describes additional contexts where the Designation can be used (#1334)
  • Define in https://confluence.ihtsdotools.org/display/FHIR/Designation+extension

SNOMED CT

• Upgrade ECL to 2.2 (#1331)
  • Support the complete ECL 2.2 syntax
  • Support evaluation of Top and Bottom operators

Security

• Replace CRA with Vite to mitigate all API site security vulnerabilities (df334fe)
• Mitigate CVE-2024-43788, CVE-2024-4067, CVE-2024-38816, CVE-2024-45296, CVE-2024-43796, CVE-2024-45590, CVE-2024-43800, CVE-2024-43799, CVE-2024-47068, CVE-2022-22978

Bugs/Improvements

• [fhir] generate correct FHIR CapabilityStatement operation definition resources (12ab565)
• [mrcm] validation rule evaluation now properly considers the current set of modules (#1333)

Dependencies

• Upgrade Spring to 6.1.3
• Upgrade Spring Security to 6.3.3
• Upgrade Rapidoc libraries to 9.3.6

Snow Owl v9.3.0

Core

• Introduce 'sourceOf' dependency scope (#1327)
  • Special scope marker to indicate that a resource is used as a source of another
  • When versioning a resource, all sourceOf dependencies will be versioned with it at the same time

SNOMED CT

• Introduce snomed.mrcm.allowedDataAttributesExpression and snomed.mrcm.allowedObjectAttributesExpression configurations (#1325)
  • By default they use the corresponding attribute concept's descendants from SNOMED CT International Edition
  • They can be changed to accommodate additional requirements (e.g. allow additional hierarchies to be used as relationship types)

Validation

• Validation threading changes (#1320)
  • Introduce validation.workerPoolSize configuration setting
  • Deprecate validation.numberOfValidationThreads configuration setting
  • Increased allowed maximum pool size to 99
  • A more reasonable default pool size is computed based on the available resources on the current node

Bugs/Improvements

• [core] improve detection of non-connected cycles in SimpleTaxonomyGraph (#1322)
• [api] fixed an issue where retrieving validation results could result in a server error (#1310)
• [snomed] ensure that concrete data type reference sets can be created for concept component types (e4525b1)
• [snomed] fixen an issue where language configuration merging could result in serialization error (796f1f4)
• [classification] increase page size when gathering information for classification runs (ac34e31)

Snow Owl v9.2.3

Bugs/Improvements

• [api] Java API improvements to allow updating concept members selectively only for certain refset types (#1311)
• [logging] remove log4j jars and use proper SLF4J bridge (#1315)
• [security] mitigate vulnerabilities CVE-2024-23444, CVE-2024-23450, CVE-2024-37890, CVE-2024-4068, CVE-2024-29415, CVE-2024-33883, CVE-2024-29041, CVE-2024-29180, CVE-2024-28849, CVE-2024-39338, CVE-2024-22257, CVE-2024-22259, CVE-2024-22262

Dependencies

• Bumped Elasticsearch to 7.17.23
• Bumped Elasticsearch Java Client to 8.15.0
• Removed Apache Log4j 1.2.25