carlos

Java Medium

carlos-emr/carlos

View on GitHub
12 stars
6 forks
200 open issues
Active Apr 2026

Beginner-Friendly Issues 200

Issues tagged for new contributors

View all on GitHub
sec: Fix 9 miscellaneous Semgrep alerts — eval, regex injection, HTTP links, open redirect
#1454 · Apr 8, 2026
Medium
help wanted type: security Review effort [1-5]: 3
sec: Fix 3 Semgrep object deserialization alerts — restrict ObjectInputStream classes
#1453 · Apr 8, 2026
Medium
help wanted type: security Review effort [1-5]: 2
sec: Fix 10 Semgrep cookie security alerts — add Secure, HttpOnly, SameSite flags
#1452 · Apr 8, 2026
Medium
help wanted type: security Review effort [1-5]: 3
sec: Fix 9 Semgrep unsafe-reflection alerts — whitelist Class.forName() inputs
#1451 · Apr 8, 2026
Medium
help wanted type: security Review effort [1-5]: 2
sec: Fix 14 Semgrep cryptography alerts — weak algorithms and insecure TLS configuration
#1450 · Apr 8, 2026
Medium
help wanted type: security Review effort [1-5]: 3
sec: Fix 19 Semgrep XXE alerts — disable external entities in XML parsers
#1449 · Apr 8, 2026
Medium
help wanted blocker type: security Review effort [1-5]: 3
sec: Fix 25 Semgrep SQL injection alerts — parameterize concatenated queries
#1448 · Apr 8, 2026
Medium
type: security Review effort [1-5]: 3
sec: Replace 20 printStackTrace() calls with proper logging
#1447 · Apr 8, 2026
Medium
help wanted type: security Review effort [1-5]: 3
sec: Fix 19 Semgrep JS XSS alerts — insecure document.write/innerHTML usage
#1446 · Apr 8, 2026
Medium
help wanted type: security Review effort [1-5]: 3
sec: Fix 50 Semgrep XSS alerts — response writer output encoding in Java actions
#1445 · Apr 8, 2026
Medium
help wanted type: security Review effort [1-5]: 3
sec: Validate email params in AddEForm2Action before session storage (20 alerts)
#1444 · Apr 8, 2026
Medium
help wanted type: security Review effort [1-5]: 2
sec: HIGH — Fix session key injection via user-controlled eform_link in AddEForm2Action
#1443 · Apr 8, 2026
Medium
help wanted blocker type: security Review effort [1-5]: 3
sec: Add provider_no validation to fix 31 tainted-session alerts in DxresearchReport2Action
#1442 · Apr 8, 2026
Medium
help wanted type: security Review effort [1-5]: 3
sec: Suppress 29 false-positive tainted-session alerts in MsgViewMessage2Action
#1441 · Apr 8, 2026
Medium
help wanted type: security Review effort [1-5]: 2
sec: Validate direct request params before session storage in Pregnancy, ClientManager, ProgramManager
#1440 · Apr 8, 2026
Medium
help wanted type: security Review effort [1-5]: 3
sec: Validate input params for 52 tainted-session alerts storing beans/objects in session
#1439 · Apr 8, 2026
Medium
help wanted type: security Review effort [1-5]: 3
sec: Suppress 50 false-positive tainted-session alerts on LogAction.addLog() calls
#1438 · Apr 8, 2026
Medium
help wanted good first issue type: security Review effort [1-5]: 2
sec: Fix 185 Semgrep tainted-session alerts across 45 remaining files
#1437 · Apr 8, 2026
Medium
help wanted type: security Review effort [1-5]: 3
sec: Fix 83 Semgrep tainted-session alerts in top 3 files (DxresearchReport, MsgViewMessage, AddEForm)
#1436 · Apr 8, 2026
Medium
help wanted type: security Review effort [1-5]: 3
sec: Fix 21 Semgrep-only path traversal alerts using PathValidationUtils
#1434 · Apr 8, 2026
Medium
help wanted good first issue type: security Review effort [1-5]: 2
sec: Register PathValidationUtils as Semgrep-recognized sanitizer to resolve ~140 false positive path traversal alerts
#1433 · Apr 8, 2026
Medium
help wanted good first issue type: security Review effort [1-5]: 2
sec: Register LogSanitizer as Semgrep-recognized sanitizer to resolve ~128 false positive CRLF alerts
#1432 · Apr 8, 2026
Medium
help wanted good first issue type: security Review effort [1-5]: 2
sec: Fix 216 Semgrep CRLF log injection alerts across 64 remaining files
#1430 · Apr 8, 2026
Medium
type: security Review effort [1-5]: 3
sec: Fix 14 Semgrep CRLF log injection alerts in MeasurementGraphAction22Action
#1429 · Apr 8, 2026
Medium
help wanted type: security Review effort [1-5]: 3
sec: Fix 17 Semgrep CRLF log injection alerts in CaseManagementEntry2Action
#1428 · Apr 8, 2026
Medium
help wanted type: security Review effort [1-5]: 2
sec: Fix 35 Semgrep CRLF log injection alerts in ManageDocument2Action
#1427 · Apr 8, 2026
Medium
good first issue type: security Review effort [1-5]: 2
[Bug]: Rewrite a Rx fails
#1426 · Apr 8, 2026
Medium
type: bug
[Bug]: Document upload fails, Upload manager looking for OscarDocument/osca
#1425 · Apr 8, 2026
Medium
type: bug Review effort [1-5]: 2
[Bug]: Inboxhub : fails to open labs, i18n
#1424 · Apr 8, 2026
Medium
type: bug
Move inline CSS from labDisplay.jsp to external stylesheet; add touch device support for macro dropdown
#1411 · Apr 8, 2026
Medium
good first issue
Investigate: Replace fragile setTimeout in Rapid Review openNextInboxItem()
#1410 · Apr 8, 2026
Medium
help wanted good first issue Review effort [1-5]: 2
sec: remove inline JavaScript to enable Content-Security-Policy headers
#1409 · Apr 8, 2026
Medium
help wanted type: security Review effort [1-5]: 2
Investigate CSRF token race condition in async csrfTokenFetch.js pattern
#1408 · Apr 8, 2026
Medium
help wanted discussion type: security Review effort [1-5]: 2
Security: Replace raw HTML tickler_note pattern with safe DOM construction in labDisplay.jsp
#1407 · Apr 8, 2026
Medium
help wanted good first issue type: security Review effort [1-5]: 2
sec: Fix 7 genuine S5131 XSS vulnerabilities across 5 JSP files
#1403 · Apr 7, 2026
Medium
help wanted blocker type: security Review effort [1-5]: 2
chore: Update dependency lock file — blocking SonarCloud scans since March 22
#1402 · Apr 7, 2026
Medium
blocker type: security Review effort [1-5]: 2
sec: Fix 7 genuine S5131 XSS alerts + dismiss 45 false positives (OWASP-encoded)
#1400 · Apr 7, 2026
Medium
type: security Review effort [1-5]: 2
sec: Fix 13 remaining CodeQL XSS alerts not covered by open PRs
#1399 · Apr 7, 2026
Medium
blocker type: security Review effort [1-5]: 2
[Bug]: eChart showing its span
#1394 · Apr 7, 2026
Medium
type: bug Review effort [1-5]: 3
sec: DOMPurify ADD_ATTR allows onclick/onchange/onload event handlers
#1390 · Apr 7, 2026
Medium
help wanted type: security Review effort [1-5]: 2
sec: appendHtmlWithScripts in oscarMDSIndex.js executes scripts from unsanitized HTML
#1389 · Apr 7, 2026
Medium
type: security
sec: Fix remaining reflected XSS across 101 files (~324 CodeQL alerts)
#1387 · Apr 7, 2026
Easy
type: security Review effort [1-5]: 2
sec: LeftNavBarDisplay.jsp — unencoded server-generated JS in onclick handlers
#1386 · Apr 7, 2026
Medium
help wanted discussion type: security
sec: fix 6 SQL injection true positives across reporting, billing, lab, and test utilities
#1384 · Apr 7, 2026
Medium
type: security Review effort [1-5]: 3
sec: dismiss 4 false-positive SQL injection CodeQL alerts
#1383 · Apr 7, 2026
Medium
type: security Review effort [1-5]: 2
Investigate: Replace custom StringUtils.noNull() with Apache Commons StringUtils.defaultString()
#1366 · Apr 6, 2026
Medium
discussion
Migrate `<c:out>` to OWASP Encoder — Phase 5+: Remaining files
#1364 · Apr 6, 2026
Medium
Migrate `<c:out>` to OWASP Encoder — Phase 5: Security-sensitive cases
#1363 · Apr 6, 2026
Medium
Migrate `<c:out>` to OWASP Encoder — Phase 4: High-instance files
#1362 · Apr 6, 2026
Medium
Migrate `<c:out>` to OWASP Encoder — Phase 3: Medium files (2-10 instances)
#1361 · Apr 6, 2026
Medium
Migrate `<c:out>` to OWASP Encoder — Phase 2: Single-instance files
#1360 · Apr 6, 2026
Medium
Migrate `<c:out>` to OWASP Encoder — Phase 1: Complete partially-migrated files
#1359 · Apr 6, 2026
Medium
Modernize jSignature v2 (2012) in eForm signature capture
#1357 · Apr 6, 2026
Medium
Replace abandoned jqPlot charting library with modern alternative
#1356 · Apr 6, 2026
Medium
Replace legacy jscalendar 1.0 with Flatpickr across 99 JSP files
#1355 · Apr 6, 2026
Medium
chore: Address 12 validated code quality findings from merged security PRs
#1347 · Apr 6, 2026
Medium
Research: Evaluate Code-Pathfinder GitHub Action for taint analysis
#1346 · Apr 6, 2026
Medium
type: security
Research: Evaluate Semgrep / OpenGrep with semgrep-rules-manager for SAST
#1345 · Apr 6, 2026
Medium
type: security
Research: Evaluate ZenAI Pentest GitHub Action for automated penetration testing
#1344 · Apr 6, 2026
Medium
type: security
Research: Evaluate Qodana Scan GitHub Action for static analysis
#1343 · Apr 6, 2026
Medium
type: security
Research: Evaluate OWASP Noir Action for API endpoint discovery
#1342 · Apr 6, 2026
Medium
type: security
Research: Evaluate Feluda license scanner as a GitHub Action
#1341 · Apr 6, 2026
Medium
type: security
Research: Evaluate ZeroFS Volume GitHub Action for CI/CD improvements
#1340 · Apr 6, 2026
Medium
Review: Audit Claude Code Action configs against official marketplace action
#1339 · Apr 6, 2026
Medium
type: security
feat: Normalize typography system around Bootstrap 5.3.3 with user-adjustable font sizes
#1333 · Apr 6, 2026
Medium
good first issue
sec: Fix XSS vulnerabilities in 40 uncovered files (java/XSS + javasecurity:S5131)
#1326 · Apr 6, 2026
Medium
blocker
Bug: WCB billing correction Refresh link passes billingmaster_no as billing_no
#1304 · Apr 6, 2026
Medium
type: bug
Bug: genTAS00.jsp and genTAS01.jsp pass wrong parameter name to adjustBill.jsp
#1301 · Apr 6, 2026
Medium
type: bug
Bug: adjustBill.jsp renders UpdateDate before it is assigned (always blank)
#1299 · Apr 6, 2026
Medium
blocker type: bug
Research: Investigate CSV data stored in HttpSession — best practices and stability risks
#1250 · Apr 6, 2026
Medium
good first issue discussion
sec: Fix trust boundary violation in DocumentUpload2Action.java — 2 alerts
#1243 · Apr 6, 2026
Medium
help wanted type: security Review effort [1-5]: 2 up-for-grabs
sec: Fix trust boundary violation in dxResearchCodeSearch2Action.java — 2 alerts
#1242 · Apr 6, 2026
Medium
help wanted
sec: Fix trust boundary violation in WLSetupDisplayPatientWaitingList2Action.java — 3 alerts
#1241 · Apr 6, 2026
Medium
help wanted type: security Review effort [1-5]: 2 up-for-grabs
sec: Fix trust boundary violation in DxresearchReport2Action.java — 3 alerts
#1240 · Apr 6, 2026
Medium
help wanted
sec: Fix trust boundary violation in ProgramManagerView2Action.java — 4 alerts
#1239 · Apr 6, 2026
Medium
help wanted
sec: Fix trust boundary violation in providerupdatepreference.jsp — 1 alert
#1237 · Apr 6, 2026
Medium
help wanted type: security Review effort [1-5]: 2 up-for-grabs
sec: Fix trust boundary violation in uploadimage.jsp — 1 alert
#1233 · Apr 6, 2026
Medium
help wanted
sec: Fix trust boundary violation in dxSetupResearch2Action.java — 5 alerts
#1231 · Apr 6, 2026
Medium
help wanted type: security Review effort [1-5]: 2
sec: Fix trust boundary violation in annotation.jsp — 1 alert
#1232 · Apr 6, 2026
Medium
good first issue type: security Review effort [1-5]: 2
sec: Fix trust boundary violation in AddEForm2Action.java — 21 alerts
#1228 · Apr 6, 2026
Medium
type: security Review effort [1-5]: 2
sec: Fix trust boundary violation in SystemMessage2Action — 1 alert
#1227 · Apr 6, 2026
Medium
help wanted type: security Review effort [1-5]: 2 up-for-grabs
sec: Fix trust boundary violation in ClientSearchAction22Action — 1 alert
#1225 · Apr 6, 2026
Medium
help wanted type: security Review effort [1-5]: 2
sec: Fix trust boundary violation in AddEditDocument2Action — 1 alert
#1223 · Apr 6, 2026
Medium
help wanted good first issue type: security Review effort [1-5]: 2 up-for-grabs
sec: Fix hardcoded fax password handling in ConfigureFax2Action
#1222 · Apr 5, 2026
Medium
help wanted type: security
sec: Fix regex injection in updatedemographicprovider.jsp
#1219 · Apr 5, 2026
Medium
help wanted type: security Review effort [1-5]: 2
sec: Remove hardcoded password in formBCAR2020Record.js
#1218 · Apr 5, 2026
Medium
help wanted type: security Review effort [1-5]: 3
sec: Fix world-writable file permissions in SplitDocument2Action
#1217 · Apr 5, 2026
Medium
help wanted type: security Review effort [1-5]: 2
sec: Fix global permissive TrustManager and HostnameVerifier in MiscUtils
#1216 · Apr 5, 2026
Medium
type: security
sec: Replace legacy YUI library yahoo-dom-event.js (ReDoS vulnerability)
#1215 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 3
sec: Remove insecure test.php file from share/calendar
#1214 · Apr 5, 2026
Medium
help wanted good first issue type: security Review effort [1-5]: 3
sec: Fix cleartext logging of sensitive data in generate_bcrypt_password.py
#1213 · Apr 5, 2026
Medium
sec: Fix sirv dependency vulnerability in package.json
#1212 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 1
sec: Fix cookie security in jquery.fileDownload.js
#1211 · Apr 5, 2026
Medium
help wanted type: security Review effort [1-5]: 3
sec: Fix cookie security and identity replacement in jquery.tablesorter.widgets.js
#1210 · Apr 5, 2026
Medium
help wanted type: security Review effort [1-5]: 3
sec: Fix incomplete JS string sanitization in billReceipt.jsp
#1209 · Apr 5, 2026
Medium
help wanted type: security Review effort [1-5]: 2
sec: Fix trust boundary violation in SQLReporter
#1208 · Apr 5, 2026
Medium
help wanted good first issue up-for-grabs
sec: Fix 21 trust boundary violations in AddEForm2Action
#1207 · Apr 5, 2026
Medium
help wanted blocker type: security Review effort [1-5]: 2
sec: Fix unsafe reflection in Pregnancy2Action
#1206 · Apr 5, 2026
Medium
help wanted type: security
sec: Fix unsafe reflection in Frm2Action
#1205 · Apr 5, 2026
Medium
help wanted type: security Review effort [1-5]: 2
sec: Fix unsafe reflection in FrmFormRHPrevention2Action
#1204 · Apr 5, 2026
Medium
help wanted type: security Review effort [1-5]: 2
sec: Fix path traversal in inject-test-context.py hook
#1203 · Apr 5, 2026
Medium
help wanted type: security
sec: Fix path traversal in ai_cli_automation_tools main_cli.py
#1202 · Apr 5, 2026
Medium
help wanted type: security Review effort [1-5]: 1
sec: Fix path traversal and insecure XML parser in convert_jrxml_v6_to_v7.py
#1201 · Apr 5, 2026
Medium
help wanted type: security Review effort [1-5]: 1
sec: Upgrade jquery.sparkline.js with bad tag filter (2 copies)
#1200 · Apr 5, 2026
Medium
help wanted type: security Review effort [1-5]: 3
sec: Fix bad HTML tag filter regex in prototype-compat.js
#1199 · Apr 5, 2026
Medium
help wanted type: security Review effort [1-5]: 2
sec: Upgrade DataTables library with unsafe plugin and incomplete sanitization
#1198 · Apr 5, 2026
Medium
help wanted type: security Review effort [1-5]: 3
sec: Upgrade unsafe bootstrap-datepicker.js (2 duplicate copies)
#1197 · Apr 5, 2026
Medium
help wanted type: security Review effort [1-5]: 3
sec: Upgrade unsafe jquery.form.js plugin (3 duplicate copies)
#1196 · Apr 5, 2026
Medium
help wanted type: security Review effort [1-5]: 3
sec: Increase RSA key size from 1024 to 2048+ bits in KeyPairGen
#1195 · Apr 5, 2026
Medium
help wanted type: security
sec: Fix open redirect in AddEditHtml2Action
#1194 · Apr 5, 2026
Medium
help wanted type: security
sec: Fix open redirect in dxResearchUpdate2Action
#1193 · Apr 5, 2026
Medium
help wanted type: security Review effort [1-5]: 2
sec: Fix path traversal in forwardshortcutname.jsp — dispatcher via DB lookup — 1 alert
#1174 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 2
sec: Fix path traversal in AddEForm2Action.java — EForm template write — 1 alert
#1173 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 2
sec: Fix path traversal in GeneratePatientLetters2Action.java — JasperReports export path — 2 alerts
#1172 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 2
sec: Fix path traversal in EctConsultationFormFax2Action.java — request-influenced fax PDF deletion — 1 alert
#1171 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 2
sec: Fix path traversal in ScheduleOfBenefitsUpload2Action.java — missing validateUpload() — 1 alert
#1170 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 1
sec: Fix path traversal in HtmlUpload2Action.java — missing validateUpload() — 1 alert
#1169 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 1
sec: Fix path traversal in UploadLoginText2Action.java — missing validateUpload() — 1 alert
#1168 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 1
sec: Fix path traversal in viewMOHFiles.jsp — unzip with user-controlled filename — 1 alert
#1167 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 1
sec: Fix path traversal in incomingDocs.jsp — unsanitized pdfDir/pdfName — 2 alerts
#1166 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 2
sec: Fix path traversal in uploadSignature.jsp — signature temp file path injection — 2 alerts
#1165 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 2
sec: Fix path traversal in genTeleplanGroupReport.jsp — ExtractBean pattern — 4 alerts
#1164 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 2
sec: Fix path traversal in genGroupReport.jsp — ExtractBean.writeFile with user monthCode — 4 alerts
#1163 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 2
sec: Fix path traversal in genreport.jsp — ExtractBean.writeFile with user monthCode — 4 alerts
#1162 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 2
sec: Fix path traversal in DocumentManagerImpl.createDocument() — 1 alert
#1161 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 2
sec: Fix path traversal in ConsultationWebService.java — 2 alerts
#1160 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 2
sec: Fix path traversal in DocumentService.java REST API — 2 alerts
#1159 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 2
sec: Fix Zip Slip vulnerability in EFormExportZip.java — 5 path traversal alerts
#1158 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 2
sec: CRITICAL — Fix path traversal in forwardname.jsp — raw HTTP param to getRequestDispatcher()
#1157 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 2
sec: Fix path traversal in Utilities.java — separateMessages() + savePdfFile() — ~5 alerts
#1156 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 2
sec: Fix incorrect PathValidationUtils usage in NioFileManagerImpl.saveTempFile() — 1 path traversal alert
#1155 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 2
sec: Investigate 87 false-positive path traversal CodeQL alerts — PathValidationUtils cross-method tracing
#1154 · Apr 5, 2026
Medium
blocker type: security Review effort [1-5]: 3
sec: Fix DOM text reinterpreted as HTML in editControl2.js (~1 alerts)
#1152 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 2
sec: Fix DOM text reinterpreted as HTML in editControl2.js (~1 alerts)
#1151 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 2
sec: Fix DOM text reinterpreted as HTML in sortable.js (~1 alerts)
#1150 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 2
sec: Fix DOM text reinterpreted as HTML in select.js (~1 alerts)
#1149 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 2
sec: Fix DOM text reinterpreted as HTML in jquery.form.js (~1 alerts)
#1148 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 3
sec: Fix DOM text reinterpreted as HTML in jquery.fileupload-uix.js (~1 alerts)
#1146 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 3
sec: Fix DOM text reinterpreted as HTML in index.jsp (~1 alerts)
#1145 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 2
sec: Fix DOM text reinterpreted as HTML in scheduletemplatesetting1.jsp (~1 alerts)
#1144 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 2
sec: Fix DOM text reinterpreted as HTML in appointmentprovideradminmonth.jsp (~1 alerts)
#1143 · Apr 5, 2026
Medium
type: security Review effort [1-5]: 2
sec: Add OWASP encoding to 136 files with 714 open XSS alerts
#1112 · Apr 5, 2026
Medium
help wanted blocker type: security
[Docs]: Example Templates and conversion
#1103 · Apr 5, 2026
Medium
[Bug]: DemographicEdit.do errors
#1091 · Apr 5, 2026
Medium
type: bug
Migrate schedule JSP controllers to Struts 2Action classes and move behind WEB-INF/jsp (6+ files)
#1090 · Apr 5, 2026
Medium
blocker
Migrate admin JSP controllers to Struts 2Action classes and move behind WEB-INF/jsp (21+ files)
#1089 · Apr 5, 2026
Medium
blocker
feat: WafFilter — request inspection for SQLi, XSS, path traversal, command injection
#1088 · Apr 5, 2026
Medium
Migrate billing delete/save JSP controllers to Struts 2Action classes (9 files)
#1087 · Apr 5, 2026
Medium
blocker
feat: Replace Tomcat POC rate limiter with custom configurable RateLimitFilter
#1086 · Apr 5, 2026
Medium
Migrate demographic CRUD JSP controllers to Struts 2Action classes (2 files)
#1085 · Apr 5, 2026
Medium
blocker
Migrate appointment CRUD JSP controllers to Struts 2Action classes (4 files)
#1084 · Apr 5, 2026
Medium
blocker
Migrate db*-prefixed JSP controllers to Struts 2Action classes (23 files)
#1083 · Apr 5, 2026
Medium
blocker
Add happy-path tests for DemographicEdit2Action and DemographicAdd2Action
#1054 · Apr 5, 2026
Medium
good first issue
PDF generation servlets missing return after sendError(403)
#1053 · Apr 5, 2026
Medium
Lab upload endpoints exempt from LoginFilter — review auth model
#1052 · Apr 5, 2026
Medium
LoginFilter prefix matching allows authentication bypass via crafted URLs
#1051 · Apr 5, 2026
Medium
Add ResponseSanitizationFilter to strip stack traces from error responses
#1050 · Apr 4, 2026
Medium
Investigate Tomcat maxPostSize mismatch with upload servlet configs
#1049 · Apr 4, 2026
Medium
perf: reuse class-level ObjectMapper in RxManagePharmacy2Action (5 methods create redundant instances)
#1045 · Apr 4, 2026
Medium
fix: showAllergy struts action missing 'failure' result mapping
#1041 · Apr 4, 2026
Medium
fix: RxChoosePatient2Action silently ignores profile view preference errors
#1040 · Apr 4, 2026
Medium
fix: RxShowAllergy2Action silently swallows errors in allergy data and reorder operations
#1039 · Apr 4, 2026
Medium
blocker
chore: remove dead newCaseManagement branching in CaseManagement actions
#1038 · Apr 4, 2026
Medium
fix: DBHandler leaks Statement/PreparedStatement on every call
#1032 · Apr 4, 2026
Medium
blocker
[Feature]: Roster Comparison
#1028 · Apr 4, 2026
Medium
[Bug]: New Consult Error
#1012 · Apr 4, 2026
Medium
type: bug
Security: Reflected XSS in billingONReview.jsp — unencoded request parameters in HTML body
#999 · Apr 3, 2026
Medium
blocker
sec: migrate remaining unprotected SAXBuilder usages to XmlUtils.createSecureSAXBuilder()
#998 · Apr 3, 2026
Medium
fix: PostProcessorRegistry.resolve() should return Optional.empty() on instantiation failure instead of throwing RuntimeException
#997 · Apr 3, 2026
Medium
Investigate: 5 legacy encounter display navbar actions removed
#990 · Apr 3, 2026
Medium
discussion
Investigate: unused attachDocs Struts action (consultation document attachment)
#989 · Apr 3, 2026
Medium
discussion
Remove unused classes, broken JSP, and dead Spring config
#982 · Apr 3, 2026
Medium
chore: Remove Ontario Renal Network (ORN) CKD screening module
#974 · Apr 3, 2026
Medium
sec: open redirect via originalpage parameter in demographicsearch2apptresults.jsp
#971 · Apr 3, 2026
Medium
blocker
Review OWASP encoding inconsistencies in lab display and billing JSPs
#970 · Apr 3, 2026
Medium
discussion
sec: Encode.for*() converts null request params to literal string "null" across ~200 JSP call sites
#968 · Apr 3, 2026
Medium
blocker
Pre-existing NPE risk: chained method calls on null request.getParameter() in billing JSPs
#967 · Apr 3, 2026
Medium
type: bug
OWASP Encode converts null request.getParameter() to literal "null" string (~80 JSP locations)
#966 · Apr 3, 2026
Medium
type: bug
[Feature]: Database migrations with Flyway
#934 · Apr 2, 2026
Medium
sec: Add proper exception handling to 14 servlets to prevent stack trace exposure (S1989)
#933 · Apr 2, 2026
Medium
type: security
sec: Sanitize user-controlled data in log statements across 57 files (S5145)
#932 · Apr 2, 2026
Medium
type: security
sec(false-positive): S6398 JSON parsing in TicklerHandler
#928 · Apr 2, 2026
Medium
type: security
sec(false-positive): S6398 JSON parsing in ExcludeDemographicHandler
#927 · Apr 2, 2026
Medium
type: security
sec(false-positive): S6398 JSON parsing in BulkPatientDashboard2Action
#926 · Apr 2, 2026
Medium
type: security
sec(false-positive): S6549 path construction in DocumentUpload2Action
#925 · Apr 2, 2026
Medium
type: security
sec(false-positive): S2068 password detection in PathNet Connection
#924 · Apr 2, 2026
Medium
type: security
sec(false-positive): S2068 password detection in ConfigureFax2Action
#923 · Apr 2, 2026
Medium
type: security
sec(false-positive): S2068 password detection in EmailCompose2Action
#922 · Apr 2, 2026
Medium
type: security
sec(false-positive): S2254 getRequestedSessionId() in HttpMethodGuardFilter
#921 · Apr 2, 2026
Medium
type: security
sec: Fix XML injection from user input in obarriskedit_99_12.jsp
#920 · Apr 2, 2026
Medium
type: security
sec: Fix XML injection from user input in obarchecklistedit_99_12.jsp
#919 · Apr 2, 2026
Medium
type: security
sec: Fix JSON injection via string concatenation in RxManagePharmacy2Action
#918 · Apr 2, 2026
Medium
type: security
sec: Add allowlist for reflective class instantiation in FrmPDFServlet
#917 · Apr 2, 2026
Medium
type: security
sec: Add allowlist for reflective class instantiation in FrmRecordFactory
#916 · Apr 2, 2026
Medium
type: security
sec: Add allowlist for reflective class instantiation in EFormPDFServlet
#915 · Apr 2, 2026
Medium
type: security
sec: Increase RSA key size from 1024 to 2048 bits in KeyPairGen
#914 · Apr 2, 2026
Medium
type: security
sec: Enable hostname verification in MiscUtils
#913 · Apr 2, 2026
Medium
type: security
sec: Enable SSL certificate validation in CxfClientUtils
#912 · Apr 2, 2026
Medium
type: security
sec: Enable SSL certificate validation in EdtClientBuilder
#911 · Apr 2, 2026
Medium
type: security
sec: Replace insecure AES/ECB cipher mode in EncryptionUtils
#910 · Apr 2, 2026
Medium
type: security

Sign in required

Authenticate to use favourites & bookmarks

5