Skip to main content

Flowable 3.10.x Release Notes

Initial release 3.10.0, July 29, 2021

Important

Due to a potential RCE (Remote Code Execution) security exploit in the Spring framework, customers using the out-of-the-box WAR artifacts for Design/Control/Work/Engage are urgently advised to upgrade to version 3.10.10 immediately. See the dedicated page around this vulnerability for the latest information.

Introduction

The Flowable product comprises:

  • Flowable Work, a process and case management platform with an out-of-the-box user interface.
  • Flowable Engage, built on top of Flowable Work, adding conversations and external connectivity to WeChat, Whatsapp and others.
  • Flowable Design, a modeling environment to create BPMN, CMMN, DMN, Form and other model types that run in Platform/Work/Engage.
  • Flowable Control, an administration tool that can be used to manage the Flowable Platform / Work / Engage environments.
  • Flowable Inspect, a debugging and test component that can be used with Flowable Work and Engage.

These products are built on top of the Flowable Open Source project which can be found at Github.

Documentation

The Flowable Open Source project also has extensive documentation available which can be found at https://www.flowable.com/open-source/docs/oss-introduction.

Highlights

Flowable Work

  • Added data object lookup, search, create, update and delete tasks to BPMN and CMMN to work with data objects in a process or case model.

  • Introduced data object select and data table form components to support working with data objects with out-of-the-box form components.

  • Added support for detached data objects that allow a Modeler to delay updating the data object to allow for four-eyes principle or other validation steps before the data object is updated.

  • It's now possible to reactivate completed / historic case instances with the reactivation action. The reactivation logic can be modeled with a reactivation listener. When a completed / historic case instance is reactivated, the case instance is active again.

  • Added support for enabling autosave for task forms.

  • Added support for defining allowed or blocked lists of values for the input payload of a task, work or case page form. Either the allowed values for the payload can be defined, and all other properties will be excluded from the payload, or the blocked values can be defined, and these properties will be excluded from the payload.

  • A variable listener has been added to allow for BPMN and CMMN models to listen to changes for a specific variable and handle this trigger in the model.

  • Query definitions for Elasticsearch can be deployed to Flowable Work without having to restart the server anymore.

  • Variable extractors that allow for new variable values and new full text search values in Elasticsearch can be deployed to Flowable Work without having to restart the server. For variable extractors that require changes to the Elasticsearch index definition it's still necessary to use the already existing classpath resource approach that does require a server restart.

  • Added an optimization flag for asynchronous multi-instance usage when the multi-instance is an automatic step or a sequence of automatic steps. If set, the engine will drastically lower resource consumption, do away with optimistic locking exceptions and typically be more performant.

  • Added an embeddable case view component that can be used to render the case view in any third party application using frontend frameworks like React, Angular and Vue.

  • A mapping can be done to map a LDAP group membership to a user definition. In this way a user that belongs to a configured group will get assigned the user definition with its allowed features.

  • Added i18n support for master data instances.

  • Added i18n support for content types.

  • CRUD authorization can be defined on service registry models to limit the user groups that can execute a service registry operation.

  • Added support for the latest version of Microsoft Edge.

  • Improved support for out-of-the-box integration with OAuth 2.0 and OpenID providers.

  • Improved internal build tool for Work UI extensions (Flowbuild) providing great flexibility for custom builds based either on Webpack or Rollup. Also, as part of this rewrite we have removed node-saas dependency (already deprecated) and added dart-saas.

Flowable Engage

  • Added support for receiving WhatsApp Template Quick Reply Button messages and Interactive List and Button Reply messages. When such a message is received in addition to the message being routed to the conversation (when an active user account exists) an Event Registry System Event with the key _flowableEngageExternalMessageReceived will be thrown as well.

  • When a conversation is open in Flowable Engage a change into the status of a timed out Whatsapp / WeChat conversation is handled in real time and the conversation is made readonly when a conversation has timed out, or the conversation will be editable again when the conversation is made active again.

  • Added support for always sending an Event Registry System Event with key _flowableEngageExternalMessageReceived for every received external message by setting flowable.external-system.inbound-message-routing.always-send-system-event to true.

  • In the template management app the external id value can now be updated for existing templates.

  • The spell check is enabled for the message box in Engage.

Flowable Design

  • Refactored data object and service registry models, it's now easier to navigate between data object models and connected service registry models. Database and REST backed data objects can now have multiple lookup, search, update, create and delete operations.

  • A reactivation listener is added to the CMMN editor palette to model reactivation logic.

  • A variable listener has been added to the BPMN and CMMN editor to listen to variable changes.

  • A data object select and data table component have been added to the form editor to support using data objects in the form model in a direct way.

  • A new model type for query models has been introduced. This makes it possible to define query models for Elasticsearch as part of an app model now.

  • A new model type for variable extractor models has been added to support defining new variables and full text search values as part of an app model.

  • Added support to define custom validations for BPMN by implementing the ValidatorSet interface.

  • The lookup of content models for the content type selection on an attachment field in the form editor has been changed to the standard model lookup component that is also used for sub processes, forms etc.

  • The lookup of action models for the action selection on an action button field in the form editor has been changed to the standard model lookup component that is also used for sub processes, forms etc.

  • Improved handling of model key changes. When a model key is changed a best-effort is done to change the model references in other models within the same app. Still a verification is needed to make sure all references are working as expected.

  • Added support for CMMN plan fragments. Plan fragments are only relevant for modeling, the CMMN runtime engine ignores plan fragments and only handles the plan items inside the plan fragments.

  • Improved export and import of BPMN and CMMN models with additional attributes being exported for flows and associations and improved handling of text annotations.

  • When importing app models, the name and description of the included models will be updated when the model already exists in the Design database.

Flowable Control

  • The case instance and process instance terminate logic now ignores evaluation of complete / terminate (lifecycle) listeners. This ensures that a case instance or process instance can always be terminated.

Flowable Mobile

  • A new Flowable Mobile application has been developed to support working with cases, processes, tasks and documents on a mobile phone.

  • The list of work instances (cases and processes) and tasks for the logged-in user can be browsed through, and the details of the work instance and task van be viewed.

  • Attached documents to a work instance or task can be previewed and downloaded.

  • Task and work forms can be viewed and edited in the application, where the form support is limited to the core form fields like text, number, select, attachment etc.

  • The mobile application supports theming, which can be defined in the Flowable Work instance the mobile application is connecting to.

Upgrade information

  • The data object functionality has been refactored and improved in Design and Work. Because a lot of changes have been made to simplify and enhance the usage of data objects, this can impact existing data object models in Design. In Work backward compatibility is implemented to make sure existing data object models still work as expected. In Design the necessary work to still be able to open existing data models has also been done, but make sure to have a look at the documentation to understand the new data object features.

  • In Flowable Engage the logic for extracting event payload is moved for the EventRegistryInboundMessageAccountService to a new interface InboundMessageEventPayloadExtractor. The default of that implementations is in DefaultInboundMessageEventPayloadExtractor.

  • There has been a change in the way a process / case instance is started from an event from the event registry. Instead of starting the process / case asynchronously, it is started synchronously. Using this default value allows correct processing of in-order event coming on the same topic. In case in order processing is not important you can configure that as part of your model by marking the Event Registry Start event as async or marking the Case Model as async in Design. If you want to go back to the previous default you can set the following properties: flowable.process.event-registry-start-process-instance-async and flowable.cmmn.event-registry-start-case-instance-async to true.

Database changes

  • A new table FLW_PL_DEPLOYMENT has been added to support deployments of query definition and variable extractor models to the Platform engine.

  • A new table FLW_PL_DEPLOYMENT_RESOURCE is added to store deployment resources for deployments to the Platform engine.

  • A new table FLW_QUERY_DEFINITION is added to store information about the deployed query definitions to the Platform engine.

  • A new table FLW_VAR_EXT_DEFINITION is added to store information about the deployed variable extractor definitions to the Platform engine.

Spring Boot

  • Base Spring Boot version should be upgraded to at least 2.5.2 up to the latest 2.5 version

Open Source Artifacts Dependency Compatibility

Releases of Flowable Design, Work and Engage use versions of the open source Flowable dependencies that have not yet been published publicly on the Maven Central repository. These 'bugfix releases' can be retrieved by customers using the customer Flowable Maven repository credentials.

These versions contain fixes and have been QA'ed with the 3.10.0 release. It's advised to upgrade your open source dependencies to the 'compatible' version mentioned below (and mentioned in the subsequent Service Packs section)

Open source dependency version: 6.6.2.13

Service Packs

3.10.1

  • Fixed issue with the custom task type attribute and delegate expressions.

  • Added support for displaying new Whatsapp emojis on Windows.

Open source dependency version: 6.6.2.13

3.10.2

  • Fixed issue with multi language text in an user event listener form.

  • Fixed issue with null values in a JSON array variable.

  • Fixed issue with re-rendering a data table when it is used in a tab, and after collapsing and expanding it.

  • Case view is refreshed after clicking on an action button.

  • For the embedded mobile view in Flowable Engage, the attachment icon now follows the attachment feature flag.

  • Fixed issue where a custom request parameter in a url caused the create dialog to not function correctly.

  • Fixed issue with history audit trail not showing the list of audit events.

  • Fixed issue with deploying a mapping extension without a query definition.

  • Fixed issue with the data table hover effect not being shown.

  • Improved handling of large content item data to prevent out of memory errors.

  • Prevent an app export in Flowable Design from failing when the XML of a BPMN or CMMN model can not be created.

  • Fixed issue with buttons in a data table not responding on click.

  • Fixed issue with link modal disappearing when selecting it in the rich text editor.

  • Fixed issue where locking information in Flowable Design was not being shown.

  • Updated Apache Tika version to 1.27.

Open source dependency version: 6.6.2.17

3.10.3

  • Improved trial download on https://flowable.com/trial/ with a new tutorial focusing on the data object support.

  • The delete data object task in BPMN and CMMN has been changed slightly: it now deletes the 'input variable', by default (if configured). This shouldn't normally pose a problem, as the main use case of the 'input variable' is to pass the in a data object variable that needs to be deleted. In both situations, referencing the variable will resolve to null. The difference is that now the variable is fully removed from the process or case instance, where before the variable existed but always would resolve to null. This can be disabled through configuring the operation.

  • When there is no license present and the license mode is set to database and the logged-in user is an admin, a warning message with a link to the license dialog is shown.

  • When there is no license present and the license mode is set to database a dialog is presented in Design to upload the license file.

  • Added two new FE functions to work with HTML and scripting content in forms:

    1. flw.sanitizeHtml(dirtyHtml) for sanitizing from XSS attacks any HTML string.
    2. flw.escapeHtml(html) for escaping any HTML to print it instead of rendering it on the DOM
  • Fixed issue where the case view was showing a completed task in editable instead of readonly mode.

  • Fixed issue in the case view where the navigation items were not refreshed after execution an action on the case instance.

  • Fixed issue with a sub task not being created in Flowable Work.

  • Fixed issue with identity info items with an empty / null value not getting updated.

  • Fixed issue with custom query models requiring a name value. When a key value is present this is sufficient and this value will be used to lookup the query model.

  • Fixed issue with multiple plan item on parts in Design.

  • Fixed issue with the list of possible output values in a decision table in Flowable Design was not exported and imported correctly, and the values were lost on import.

  • Fixed issue with an expandable panel in a data table having a REST button and the expand toggle not working.

  • Fixed issue with an ignored panel still changing the payload of a form.

  • Fixed issue where the add button of a multi sub form was not working.

  • Fixed issue where the data table configuration was shared between different data tables with the same column id.

  • Fixed issue with a data table breaking the layout when changing the column size.

  • Fixed issue with a data object table or select not responding to a form payload change to filter the data object items.

Open source dependency version: 6.6.2.20

3.10.4

  • Added support for moving data from one tenant to another in the PlatformManagementService.

  • Fixed issue where the user in the list was not shown after deactivating the user in the contacts app.

  • Fixed issue where columns in a data table were not correctly aligned with the header and content.

  • Fixed issue where the plan item instance lifecycle listener wasn't invoked for a wait for repetition status change.

  • Fixed issue to copy transient variables as transient in the sub process instance, when using a call activity with copy all variables.

Open source dependency version: 6.6.2.23

3.10.5

  • The open tasks tab view for case and process instances in Flowable Work will automatically poll for new tasks 3 times in an interval to show tasks that are created asynchronously after completing the previous task, or starting the case or process instance.

  • Improved support of deploying a new configuration of a data table in a form with existing favorites.

  • Added support for multi tenancy for the user and group selection in Flowable Design. This now takes into account the active tenant id in Flowable Design.

  • Fixed issue with payload handling of a start form for a case reactivation.

  • Fixed issue with an outcome button not refreshing the navigation menu in the case view.

  • Fixed issue with auto-execute button introducing a never ending loop.

  • Fixed issue with XSS injection possibilities in data table column values.

  • Fixed issue with theming when using OAuth2 authentication.

  • Fixed issue with custom.js not relative to the index.html.

  • Fixed issue where the case / process header was duplicated for long forms.

  • Added missing German translations for data object data tables.

Open source dependency version: 6.6.2.24

3.10.6

This version fixes an important security issue and customers are advised to upgrade to this version immediately.

Without the fix included in this version, an RCE (Remote Code Execution) exploit might be possible. The RCE exploit is due to a vulnerability in the logging dependency. All information about it can be found here: Github Security Advisory

Affected products:

  • Flowable Design default WAR distribution and Docker image version < 3.10.6
  • Flowable Control default WAR distribution and Docker image version < 3.10.6
  • Flowable Work default WAR distribution and Docker image version < 3.10.6
  • Flowable Engage default WAR distribution and Docker image version < 3.10.6

Fix versions are also released for customers still on older versions. Versions 3.9.10+, 3.8.15+ and 3.7.10+ contain the same fix.

In case it's not possible to upgrade immediately, the RCE exploit can be disabled by setting the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true or pass the log4j2.formatMsgNoLookups=true as system property

When not using the default distributables (for example in a custom Maven or Gradle project) you might be affected if you have added the log4j dependency to your project explicitly. For Maven, run mvn dependency:tree | grep log4j-core on the command line and make sure the version is 2.15.0 or higher. If not, upgrade the dependency in your configuration to minimally 2.15.0.

Other fixes in this release:

  • Fixed issue where the complete button is enabled before the form is fully loaded.

  • Fixed issue with user event listeners for case instance migration, where the form deployment id was not updated in the action instance for the user event listener.

  • Added support for expressions in outbound channel definitions for Kafka, JMS and RabbitMQ.

  • Added support to include case / process variables for historic tasks with form instances by enabling the flowable.platform.enable-legacy-historic-task-variables=true property.

  • Fixed issue where identity links were not copied correctly to the runtime identity link table when reactivating a case instance.

  • Fixed issue with translations for data table columns in Flowable Design where the language was not shown.

  • Fixed issue where numbers were not displayed in the data table component in the form engine.

  • Fixed issue where form validation did not work for uploaded files that are too big.

  • Improved navigation url for an outcome button for a BPMN user task with expression support.

  • Fixed issue with the change password functionality in Flowable Design.

Open source dependency version: 6.6.2.27

3.10.7

Contains log4j version 2.16.0, which fixes a second security vulnerability. See the dedicated page around the Log4Shell vulnerability for more information

3.10.8

Contains log4j version 2.17.0, which fixes a third security vulnerability. See the dedicated page around the Log4Shell vulnerability for more information

Open source dependency version: 6.6.2.27

3.10.9

  • Added interceptor interface (ControlInterceptor) to Flowable Control that can be used to implement audit logic for changes made through Control such as updating a variable value or doing a new deployment.

  • Added onEvent functionality to the form engine which can be used for adding specific logic to the form handling, more information is available here https://documentation.flowable.com/latest/forms/basic-events

  • Added support for 2 new history levels in the BPMN engine with "instance" and "task". Instance history level only stores the process instance entry in the historic process instance table. The task level adds the user tasks to the historic tables. So no activity, variable or other information will be stored, by default, in the historic tables.

  • Added support for defining a case definition specific history level in Flowable Design and Platform.

  • Added support for 2 new history levels in the CMMN engine with "instance" and "task". Instance history level only stores the case instance entry in the historic case instance table. The task level adds the human tasks to the historic tables. So no plan item instance, variable or other information will be stored, by default, in the historic tables.

  • Added support for defining which activity elements in a BPMN and CMMN definition should be included in the historic tables when using an "instance" or "task" history level.

  • Added support for defining which variables in a BPMN and CMMN definition should be included in the historic tables when using an "instance" or "task" history level.

  • Flowable Control has been changed to query the runtime tables for CMMN and BPMN instances and tasks when querying for active instances.

  • Fixed issue with boundary event registry events not being evaluated when doing a process instance migration.

  • Fixed issue with showing a people component in the custom case view for a completed case instance.

  • Added support to handle the error response from the REST API when uploading an attachment to the Javascript extension options.

  • Fixed issue where the pagination is not maintained when the query url of a data table changes due to form payload changes.

  • Fixed issue where tooltips for action buttons were not appearing in Flowable Work.

  • Fixed issue with outcome buttons appearing with another width in a form as modeled in Flowable Design.

  • Fixed issue with flw.JSON.stringify not working for Set collections.

  • Spring boot has been upgraded to 2.5.8

Open source dependency version: 6.6.2.33

3.10.10

  • Upgrade Spring Boot to version 2.5.12 because of the remote execution vulnerability that was disclosed. See the page dedicated to the vulnerability for more information.

  • Added CSRF support to Flowable Control.

  • Fixed issue with repeating timer event listeners resulted in multiple timer jobs being created.

  • Added option to filter on the state value in the (historic) case instance queries. In addition, missing query options were added to the REST API.

  • Fixed issue with translations not working correctly for List components in forms.

  • Fixed issue with border not shown for multi sub forms.

Open source dependency version: 6.6.2.34

3.10.11

  • Fixed issue with the Thymeleaf template of Flowable Work / Engage.

Open source dependency version: 6.6.2.35

3.10.12

  • Fixed issue with the same case page task getting displayed multiple times in the case view with repetition.

  • Fixed issue with accessing a case instance without permissions and showing the correct "Case not found" message in the case view.

Open source dependency version: 6.6.2.35

3.10.13

  • Fixed issue with more than a 1000 groups for a logged-in user when fetching scoped action definitions.

  • Fixed issue with custom queries not working correctly after reindexing in a multi server setup.

  • Fixed issue with the save button being enabled on a form when uploading a large required document.

Open source dependency version: 6.6.2.35