Release notes Vonk

Security warnings

Attention

Microsoft has published two Security Advisories regarding ASP.NET Core:

  • If you run Vonk behind Internet Information Server (IIS), you may be affected by “Microsoft Security Advisory CVE-2018-0808: ASP.NET Core Denial Of Service Vulnerability”. Refer to the related GitHub issue #294 for details and the fix.
  • If you expose Vonk directly to the internet, or host it behind a proxy which does not validate or restict host headers to known good values, you may be affected by “Microsoft Security Advisory CVE-2018-0787: ASP.NET Core Elevation Of Privilege Vulnerability”. Refer to the related GitHub issue #295 for details and the correct way of hosting Vonk. This ‘host validating middleware’ mentioned by this issue is not a part of Vonk. We advise you to run a publicly exposed Vonk behind a proxy or on an Azure Web App.

Attention

This version changes the way conformance resources are loaded from zip files and/or directories at startup. They are no longer loaded only in memory, but are added to the Administration API’s database. You will notice a delay at first startup, when Vonk is loading these resources into the database. See Feature #1 below.

Release 0.6.4.0

Database

  1. Fix #9 below requires a reindex/all.

Facade

  1. Release 0.6.4.0 is not released on NuGet, so the latest NuGet packages have version 0.6.2-beta. This release is targeted towards the Administration API and Terminology, both of which are not (yet) available in Facade implementations. We are working on making the features of the Administration API available to Facade implementers in an easy way.

Features and fixes

  1. Feature: Make all loaded conformance resources available through the Administration API.

    Previously:

    • Only SearchParameter and CompartmentDefinition resources could be loaded from ZIP files and directories;
    • And those could not be read from the Administration API.

    Now:

    • The same set of (conformance) resourcetypes can be read from all sources (ZIP, directory, Simplifier);
    • They are all loaded into the Administration database and can be read and updated through the Administration API.

    Refer to Controlling the Conformance Resources for details.

  2. Feature: Experimental support for Terminology operations $validate-code, $expand, $lookup, $compose.

  3. Feature: Support for Compartment Search.

  4. Feature: Track timing of major dependencies in Azure Application Insights.

  5. Feature: Log settings can be overridden in 4 levels, just as the appsettings. The logsettings.json file will not be overwritten anymore by a Vonk distribution.

  6. Fix: The check for allowed profiles is no longer applied to the Administration API. Previously setting AllowedProfiles to e.g. [http://mycompany.org/fhir/StructureDefinition/mycompany-patient] would prohibit you to actually create or update the related StructureDefinition in the Administration API.

  7. Fix: When posting any other resourcetype than the supported conformance resources to the Administration API, Vonk now returns a 501 (Not Implemented).

  8. Fix: Support search on Token with only a system (e.g. <base>/Observation?code=http://loinc.org|)

  9. Fix: Support search on Token with a fixed system, e.g. <base>/Patient?gender=http://hl7.org/fhir/codesystem-administrative-gender.html|female. This fix requires a reindex/all.

  10. Fix: Reindex could fail when a Reference Searchparameter has no targets.

  11. Fix: Vonk works as Data Server on ClinFHIR, with help of David Hay.

  12. Fix: Clearer error messages in the log on configuration errors.

  13. Fix: Loading conformance resources from disk in Docker.

Documentation

  1. We added documentation on using IIS or NGINX as reverse proxies for Vonk.
  2. We added documentation on running Vonk on Azure Web App Services.

Release 0.6.2.0

Attention

The loading of appsettings is more flexible. After installing a new version you can simply paste your previous appsettings.json in the Vonk directory. Vonk’s default settings are now in appsettings.default.json. see Vonk settings for details.

Database

No changes

Features and fixes

  1. Feature: Conditional References in Transactions are resolved.
  2. Feature: More flexible support for different serializers (preparing for ndjson in Bulkdata)
  3. Feature: Improved handling on missing settings or errors in the Vonk settings.
  4. Feature: Improved logging, including Dependency Tracking on Azure Application Insights, see Azure Application Insights
  5. Feature: SearchParameter and CompartmentDefinition are now also imported from Simplifier, so both Simplifier import and the Administration API support the same set of conformance resources: StructureDefinition, SearchParameter, CompartmentDefinition, ValueSet and CodeSystem. See Conformance resources.
  6. Feature: Loading of appsettings is more flexible, see Vonk settings.
  7. Feature: Added documentation on running Vonk behind IIS or NGINX: Deploy Vonk on a reverse proxy.
  8. Performance: Improvement in speed of validation, especially relevant if you are Validating incoming resources.
  9. Fix: If you try to load a SearchParameter (see Load Conformance Resources from disk) that cannot be parsed correctly, Vonk puts an error about that in the log.
  10. Fix: Results from _include and _revinclude are now marked with searchmode: Include (was incorrectly set to ‘Match’ before)
  11. Fix: _format as one of the parameters in a POST Search is correctly evaluated.
  12. Fix: No more errors in the log about a Session being closed before the request has finished (“Error closing the session. System.OperationCanceledException: The operation was canceled.”)
  13. Fix: Subscription.status is evaluated correctly upon create or update on the Administration API
  14. Fix: Token search with only a system is supported (Observation.code=somesystem|)
  15. Fix: On validation errors like ‘Cannot resolve reference Organization/Organization-example26”’ are now suppressed since the validator is set not to follow these references.
  16. Fix: New Firely logo in SVG format - looks better
  17. Fix: Creating resources with duplicate canonical url’s on the Administration API is prohibited, see Controlling the Conformance Resources.
  18. Fix: If a Compartment filter is used on a parameter that is not implemented, Vonk will return an error, see Compartments.

Release 0.6.1.0

Name change from Furore to Firely

Release 0.6.0.0

Attention

Database

  1. The MongoDB implementation got a new index. It will be created automatically upon startup.

Features and fixes

  1. Feature: Access control based on SMART on FHIR.
  2. Feature: Vonk can also load CompartmentDefinition resources. See Controlling the Conformance Resources for instructions.
  3. Feature: ValueSet and CodeSystem resources can be loaded into the administration endpoint, and loaded from Simplifier. See Controlling the Conformance Resources for instructions.
  4. Feature: Be lenient on trailing slashes in the url.
  5. Feature: OperationOutcome is now at the top of a Bundle result. For human readers this is easier to spot any errors or warnings.
  6. Fix: In the settings for SQL Server it was possible to specify the name of the Schema to use for the Vonk tables. That was actually not evaluated, so we removed the option for it. It is fixed to ‘vonk’.
  7. Fix: The OperationOutcome of the Reset operation could state both an error and overall success.
  8. Fix: If you did not set the CertificatePassword in the appsettings, Vonk would report a warning even if the password was not needed.
  9. Fix: Loading conformance resources in the SQL Server implementation could lead to an error.
  10. Fix: Clearer error messages if the body of the request is mandatory but empty.
  11. Fix: Clearer error message if the Content-Type is missing.
  12. Fix: GET on [base]/ would return the UI regardless of the Accept header. Now if you specify a FHIR mimetype in the Accept header, it will return the result of a system wide search.
  13. Fix: In rare circumstances a duplicate logical id could be created.
  14. Fix: GET [base]/metadat would return status code 200 (OK). But it should return a 400 and an OperationOutcome stating that ‘metadat’ is not a supported resourcetype.

Documentation

  1. We consolidated documentation on loading conformance resources into Controlling the Conformance Resources.

Release 0.5.2.0

Attention

Configuration setting SearchOptions is renamed to BundleOptions.

Features and fixes

  1. Fix: When you specify LoadAtStartup in the ResourceLoaderOptions, an warning was displayed: “WRN No server base configured, skipping resource loading.”
  2. Fix: Conditional create that matches an existing resource returned that resource instead of an OperationOutcome.
  3. Fix: _has, _type and _count were in the CapabilityStatement twice.
  4. Fix: _elements would affect the stored resource in the Memory implementation.
  5. Fix: Getting a resource with an invalid id (with special characters or over 64 characters) now returns a 404 instead of 501.
  6. Feature: Re-indexing for new or changed SearchParameters now also re-indexes the Administration API database.
  7. Fix: modifier :above for parameter type Url now works on the MongoDB implementation.
  8. Fix: Vonk would search through inaccessible directories for the specification.zip.
  9. Fix: Subscription could not be posted if ‘Database’ was not one of the SearchParametersImportOptions.
  10. Fix: _(rev)include=* is not supported but was not reported as such.
  11. Fix: In a searchresult bundle, the references to other resources are now made absolute, refering to the Vonk server itself.
  12. Fix: BundleOptions (previously: SearchOptions) settings were not evaluated.
  13. Fix: Different responses for invalid resources when you change ValidateIncomingResources setting (400 vs. 501)
  14. Fix: Better reporting of errors when there are invalid modifiers in the search.
  15. Fix: Creating a resource that would not fit MongoDB’s document size resulted in an inappropriate error.
  16. Fix: There was no default sort order in the search, resulting in warnings from the SQL implementation. Added default sort on _lastUpdated (desc).
  17. Fix: Preliminary disposal of LocalTerminology server by the Validator.

Facade

  1. Fix: _include/_revinclude on searchresults having contained resources triggered a NotImplementedException.

Release 0.5.1.1

Facade

We released the Facade libraries on NuGet along with getting started documentation.

No features have been added to the Vonk FHIR Server.

Release 0.5.0.0

Database

  1. Long URI’s for token and uri types are now supported, but that required a change of the SQL Server database structure. If you have AutoUpdateDatabase enabled (see Using SQL server), Vonk will automatically apply the changes. As always, perform a backup first if you have production data in the database.

  2. To prevent duplicate resources in the database we have provided a unique index on the Entry table. This update does include a migration. It can happen that that during updating of your database it cannot apply the unique index, because there are duplicate keys in your database (which is not good). Our advise is to empty your database first (with <vonk-endpoint>/administration/reset, then update Vonk with this new version and then run Vonk with AutoUpdateDatabase=true (for the normal and the administration databases).

    If you run on production and encounter this problem, please contact our support.

Features and fixes

  1. Feature: POST on _search is now supported
  2. Fix: Statuscode of <vonk-endpoint>/administration/preload has changed when zero resources are added. The statuscode is now 200 instead of 201.
  3. Fix: OPTIONS operation returns now the capability statement with statuscode 200.
  4. Fix: A search operation with a wrong syntax will now respond with statuscode 400 and an OperationOutcome. For example GET <vonk-endpoint>/Patient?birthdate<1974 will respond with statuscode 400.
  5. Fix: A statuscode 501 could occur together with an OperationOutcome stating that the operation was successful. Not anymore.
  6. Fix: An OperationOutcome stating success did not contain any issue element, which is nog valid. Solved.
  7. Improvement: In the configuration on Load Conformance Resources from simplifier.net the section ArtifactResolutionOptions has changed to ResourceLoaderOptions and a new option has been introduced under that section named LoadAtStartup which, if set to true, will attempt to load the specified resource sets when you start Vonk
  8. Improvement: the Memory implementation now also supports SimulateTransactions
  9. Improvement: the option SimulateTransactions in the configuration defaults to false now
  10. Feature: You can now add SearchParameters at runtime by POSTing them to the Administration API. You need to apply Re-indexing for new or changed SearchParameters to evaluate them on existing resources.
  11. Fix: The batch operation with search entries now detects the correct interaction.
  12. Fix: ETag header is not sent anymore if it is not relevant.
  13. Fix: Searching on a String SearchParameter in a MongoDB implementation could unexpectedly broaden to other string parameters.
  14. Fix: If Reference.reference is empty in a Resource, it is no longer filled with Vonks base address.
  15. Feature: Search operation now supports _summary.
  16. Fix: Paging is enabled for the history interaction.
  17. Fix: Conditional updates won’t create duplicate resources anymore when performing this action in parallel.
  18. Fix: Indexing of CodeableConcept has been enhanced.
  19. Fix: Search on reference works now also for an absolute reference.
  20. Fix: Long uri’s (larger than are 128 characters) are now supported for Token and Uri SearchParameters.
  21. Improvement: The configuration of IP addresses in Limited access has changed. The format is no longer a comma-separated string but a proper JSON array of strings.

Release 0.4.0.1

Database

  1. Long URL’s for absolute references are now supported, but that required a change of the SQL Server database structure. If you have AutoUpdateDatabase enabled, Vonk will automatically apply the changes. As always, perform a backup first if you have production data in the database.
  2. Datetime elements have a new serialization format in MongoDB. After installing this version, you will see warnings about indexes on these fields. Please perform Re-indexing for new or changed SearchParameters, for all parameters with <vonk-endpoint>/administration/reindex/all. After the operation is complete, restart Vonk and the indexes will be created without errors.

Features and fixes

  1. Fix: SearchParameters with a hyphen (‘-‘, e.g. general-practitioner) were not recognized in (reverse) chains.
  2. Fix: CapabilityStatement is more complete, including (rev)includes and support for generic parameters besides the SearchParameters (like _count). Also the SearchParameters now have their canonical url and a description.
  3. Improvement: Preloading a set of resources gives more informative warning messages.
  4. Fix: Re-indexing for new or changed SearchParameters did not handle contained resources correctly. If you have used this feature on the 0.3.3 version, please apply it again with <vonk-endpoint>/administration/reindex/all to correct any errors.
  5. Improvement: Loading resources from Simplifier now also works for the Memory implementation.
  6. Improvements on Validation:
    • profile parameter can also be supplied on the url
    • if validation is successful, an OperationOutcome is still returned
    • it always returns 200, and not 422 if the resource could not be parsed
  7. Feature: support for Conditional Read, honouring if-modified-since and if-none-match headers.
  8. Fix: Allow for url’s longer than 128 characters in Reference components.
  9. Fix: Allow for an id in a resource on a Create interaction (and ignore that id).
  10. Fix: Allow for an id in a resource on a Conditional Update interaction (and ignore that id).
  11. Fix: Include Last-Modified header on Capability interaction.
  12. Fix: Format Last-Modified header in httpdate format.
  13. Fix: Include version in bundle.entry.fullUrl on the History interaction.
  14. Fix: Update _sort syntax from DSTU2 to STU3. Note: _sort is still only implemented for _lastUpdated, mainly for the History interaction.
  15. Improvement: If the request comes from a browser, the response is sent with a Content-Type of application/xml, to allow the browser to render it natively. Note that most browsers only render the narrative if they receive xml.

Release 0.3.3.0

Attention

We upgraded to .NET Core 2.0. For this release you have to install .NET Core Runtime 2.0, that you can download from dot.net.

Hosting

The options for enabling and configuring HTTPS have moved. They are now in appsettings.json, under ‘Hosting’:
"Hosting": {
  "HttpPort": 4080,
  "HttpsPort": 4081, // Enable this to use https
  "CertificateFile": "<your-certificate-file>.pfx", //Relevant when HttpsPort is present
  "CertificatePassword" : "<cert-pass>" // Relevant when HttpsPort is present
},

This means you have to adjust your environment variables for CertificateFile and CertificatePassword (if you had set them) to:

VONK_Hosting:CertificateFile
VONK_Hosting:CertificatePassword

The setting ‘UseHttps’ is gone, in favour of Hosting:HttpsPort.

Database

There are no changes to the database structure.

Features and fixes

  1. Feature: Subscription is more heavily checked on create and update. If all checks pass, status is set to active. If not, the Subscription is not stored, and Vonk returns an OperationOutcome with the errors.
    • Criteria must all be supported
    • Endpoint must be absolute and a correct url
    • Enddate is in the future
    • Payload mimetype is supported
  2. Feature: use _elements on Search
  3. Feature: load profiles from your Simplifier project at startup.
  4. Feature: Content-Length header is populated.
  5. Fix: PUT or POST on /metadata returned 200 OK, but now returns 405 Method not allowed.
  6. Fix: Sometimes an error message would appear twice in an OperationOutcome.
  7. Fix: _summary is not yet implemented, but was not reported as ‘not supported’ in the OperationOutcome. Now it is. (Soon we will actually implement _summary.)
  8. Fix: If-None-Exist header was also processed on an update, where it is only defined for a create.
  9. Fix: Set Bundle.entry.search.mode to ‘outcome’ for an OperationOutcome in the search results.
  10. UI: Display software version on homepage.

Release 0.3.2.0

  1. Fix: _include and _revinclude could include too many resources.

Release 0.3.1.0

  1. IP address restricted access to Administration API functions.
  2. Fix on Subscriptions:
    1. Accept only Subscriptions with a channel of type rest-hook and the payload (if present) has a valid mimetype.
    2. Set them from requested to active if they are accepted.

Release 0.3.0.0

  1. Database changes

If you have professional support, please consult us on the best way to upgrade your database.

  1. The schema for the SQL Database has changed. It also requires re-indexing all resources.
  2. The (implicit) schema for the documents in the MongoDb database has changed.
  3. The Administration API requires a separate database (SQL) or collection (MongoDb).
  1. New features:
  1. Custom Search Parameters
  2. Support for Subscriptions with rest-hook channel
  3. Preload resources from a zip.
  4. Reset database
  5. Conditional create / update / delete
  6. Support for the prefer header
  7. Validation on update / create (can be turned on/off)
  8. Restrict creates/updated to specific profiles.
  9. Configure supported interactions (turn certain interactions on/off)
  1. New search features:
  1. _has
  2. _type (search on system level)
  3. _list
  4. _revinclude
  1. Enhancements
  1. :exact: Correctly search case (in)sensitive when the :exact modifier is (not) used on string parameters.
  2. Enhanced reporting of errors and warnings in the OperationOutcome.
  3. Custom profiles / StructureDefinitions separated in the Administration API (instead of in the regular database).
  4. Full FHIRPath support for Search Parameters.
  5. Fixed date searches on dates without seconds and timezone
  6. Fixed evaluation of modifier :missing
  7. Correct total number of results in search result bundle.
  8. Fix paging links in search result bundle
  9. Better support for mimetypes.
  1. DevOps:
  1. New Vonk Administration API
  2. Enabled logging of the SQL statements issued by Vonk (see Log settings)
  3. Migrations for SQL Server (auto create database schema, also for the Administration API)
  1. Performance
  1. Added indexes to MongoDb and SQL Server implementations.