Flowable 3.8.x Release Notes

Initial release 3.8.0, December 16, 2020

Important

Due to a potential RCE (Remote Code Execution) security exploit in the logging dependency, customers using the out-of-the-box WAR artifacts or Docker images for Design/Control/Work/Engage are urgently advised to upgrade to version 3.8.16 immediately. See the dedicated page around the Log4Shell vulnerability for the latest information.

Introduction

The Flowable product comprises:

• Flowable Work, a process and case management platform with an out-of-the-box user interface.
• Flowable Engage, built on top of Flowable Work, adding conversations and external connectivity to WeChat, Whatsapp and others.
• Flowable Design, a modeling environment to create BPMN, CMMN, DMN, Form and other model types that run in Platform/Work/Engage.
• Flowable Control, an administration tool that can be used to manage the Flowable Platform / Work / Engage environments.
• Flowable Inspect, a debugging and test component that can be used with Flowable Work and Engage.

These products are built on top of the Flowable Open Source project which can be found at Github.

Documentation

• Documentation home

• The Flowable Engage User Guide

• The Flowable Work User Guide

The Flowable Open Source project also has extensive documentation available which can be found at https://www.flowable.com/open-source/docs/oss-introduction.

Highlights

Flowable Work Services

• The default historic data handling for the relational database has been changed from asynchronous to synchronous. This means that the historic information for a case instance, process instance or task will be added to the relational database tables in the same transaction as the runtime data. The update of the Elasticsearch data is still done with an asynchronous job, but the logic has been simplified. It's still possible to use asynchronous history by enabling the following property flag flowable.async-history.enable-async-relational-history.

• An option to persist metrics information in Elasticsearch has been added. This includes metrics about the number of jobs and operations executed, instances started and so on. Also metrics about the system itself, such as CPU usage, memory usage and so on. In Flowable Control these metrics can be viewed in the dashboards section with different charts. This option can be enabled with the property flag management.metrics.export.elastic.enabled.

• Added support for future Java delegates to enable running service tasks and HTTP tasks truly in parallel. Until this release, a parallel gateway with multiple outgoing sequence flows to a service task didn't run the synchronous service tasks actually in parallel, they were still executed sequential. When these service tasks are made asynchronous and not exclusive, then they were executed in parallel by the async executor, but also in different transactions. With the new future service task support, it's now possible to run synchronous service tasks within the same transaction in parallel. The service tasks are executed in parallel on a thread pool and the future will wait until all service tasks are completed. More information is available in this blog post.

• To be able to count the amount of unique users that use the Flowable Work / Engage application in a specific time period, such as in the last year, the users that accessed the application are stored in the Flowable database for each day.

• For a POST and PUT request in the service registry model, an input parameter can be defined to be ignored for the request body.

• Added REST API support for the Service Registry engine.

• Fixed issue with the content storage for PostgreSQL.

Flowable Work User Interface

• The custom case view feature has been enhanced and renamed to Case view. The case, task and case page headers can be configured and the save button is now optional.

• Added support for infinite scrolling in data tables (default mode for new data tables in Flowable Design), requiring query URLs to include size={{$pageSize}}&start={{$start}} parameters for correct dynamic data retrieval.

• Outcome buttons can be defined inline in the form with the new outcome button components. This allows outcome buttons to be displayed anywhere in a form.

• Support added to store dates without a time element, to prevent timezone issues for date values that don't require a time value. In Flowable Design the date fields now use the date without time option by default for new form components.

Flowable Engage

• Added support for the new WhatsApp template message format to allow sending header, footer, body and button components.

Flowable Inspect

• The Inspect information can now also be seen in Case views.

• The form debugger console is now available in dashboard pages.

Flowable Design

• Model locking support has been added to make sure that a model can only be edited by one modeler at a time. Model locking is disabled by default, but can be enabled with the flowable.modeler.app.model-locking.enabled flag. When enabled, the editor is opened read-only if the model is not already locked. After locking the model, the model is editable until it is unlocked again.

• A model hierarchy panel has been added, which shows and allows easy navigation to referenced models, child and parent models and so on.

• The variable assistant has been updated to have a more complete list of variables available within the current model scope.

• With the improvements to the variable assistant, the data model viewer has also been updated with the same improved set of variables.

• Added support for service tasks to be executed in parallel in the same transaction, in BPMN and CMMN.

Flowable Control

• To provide more information about the number of open process instances, case instances, tasks and so on, dashboard pages have been added to Flowable Control for Flowable Work and Flowable Engage clusters. The time range for these charts can be defined by the user.

• Additional charts have been added to show metrics information from the Flowable platform. This includes information about system resources, including CPU usage and memory usage, and other metrics such as jobs executed, jobs failed, operations executed and instances started.

• Added support for single case instance migration in the case instance view.

• Added support for changing the state of plan item instances / definitions in the case instance view.

• Added support to reindex a single indexed entity (case instance, process instance, task, activities, user, and so on) to sync the current state to Elasticsearch.

Upgrade information

Synchronous history

Synchronous history and Synchronous history indexing (indexing data in Elasticsearch based on the relational historical data) is now the default in 3.8.0, instead of asynchronous history indexing in previous releases (indexing data based on a copy of the JSON data that is used for asynchronous history). To switch back to the asynchronous history that was the default until version 3.7.x, the property flag flowable.async-history.enable-async-relational-history needs to be set to true. As part of this feature, the following changes were made:

• In synchronous history indexing, only the reindex methods of an IndexedDataEnhancer needs to be implemented. There is no need anymore to implement the other methods as well (as was the case in the asynchronous way), because every change of data comes down to a reindex of a single data entity.

• Scheduler classes (e.g. CaseInstanceIndexingScheduler) have been moved from the com.flowable.platform.service.index to the com.flowable.platform.engine.impl.indexing package.

• The addToBulkRequest method has been renamed to upsertData. Additionally, a new method indexData is available to add an indexing operation to the current bulk indexing request. Existing history jobs that are in the database when upgrading the software to version 3.8.0 will still be executed, even with synchronous history enabled. So no special action needs to be taken into account for this.

Case view

The Case view navigation logic has changed. Before version 3.8.0, the navigation to the (custom) case view happened automatically when the case instance details view was accessed. Starting from version 3.8.0 there's a different URL pattern for the case view, and no automatic navigation to the case view is happening anymore. Instead, there's a link shown in the case instance details view that allows the user to navigate to the case view. The URL pattern for the case view is /case-view/{caseInstanceId}. It's also possible to navigate directly to a specific task in the case view, the URL pattern then is /case-view/{caseInstanceId}/task/{taskId}.

Frontend work scripts

The latest Frontend Work scripts package adds forms support and other minor enhancements for your custom CSS themes. In order to upgrade to the latest Work scripts package run: 'yarn upgrade @flowable/work-scripts@3.8' . For more information see https://documentation.flowable.com/latest/develop/fe/customize/#customize-the-theme-in-flowable.

Elasticsearch

Elasticsearch support follows the End Of Life (EOL) policy of Elastic https://www.elastic.co/support/eol. For 3.8.0 Elasticsearch 6.7.x and 6.8.x were still tested, but we strongly recommend to upgrade to the 7.x version of Elasticsearch. Elasticsearch provides a Java high level REST client and a Java low level REST client. In the product all the ES communication is written using the Java low level REST client because it allows to use the same logic between different versions of Elasticsearch (6.x and 7.x for example). The Java high level REST client is only used for parsing the ES responses, which is also backwards compatible. Note that when using the Java High level REST client also to do ES calls in custom logic, the version of the client should match the ES server version. For example, when using a 7.6 version of the client and an ES server version of 6.8.x, issues can occur.

When it's needed to disable the Elasticsearch synchronization, for example to implement unit tests, the following steps are needed:

• Set the following property flowable.indexing.enabled=false
• Mock the following interfaces SearchService, IndexingService and ElasticsearchCompatibility

Metrics

Metric information is enabled by default for custom apps that have a dependency on one of the Flowable starters for Flowable Work or Flowable Engage. When no metric information should be collected and synced to Elasticsearch, make sure to explicitly disable the metric collection with the following property set to false:

• management.metrics.export.elastic.enabled=false

Database changes

• A new table has been added to store the user ID of users that access the Flowable Work or Flowable Engage application each day: FLW_LIC_USER_LOGIN.

• A new column PROPAGATED_STAGE_INST_ID_ has been added to ACT_HI_PROCINST to store the stage instance ID value, as it was already for the runtime process instance.

Spring Boot

• Base Spring Boot version should be upgraded to at least 2.3.1 up to the latest 2.3 version (same as for Flowable 3.7.0)

Other changes

• A new 'allowed feature' editConversationTitle has been added to the default user definitions, giving users that can create conversations the ability to edit the conversation title. If you have made a custom user definition and you want users to have this ability, the editConversationTitle needs to be added to the allowedFeatures array of the user definition JSON file.

Open Source Artifacts Dependency Compatibility

Releases of Flowable Design, Work and Engage use versions of the open source Flowable dependencies that have not yet been published publicly on the Maven Central repository. These 'bugfix releases' can be retrieved by customers using the customer Flowable Maven repository credentials.

These versions contain fixes and have been QA'ed with the 3.8.0 release. It's advised to upgrade your open source dependencies to the 'compatible' version mentioned below (and mentioned in the subsequent Service Packs section)

Open source dependency version: 6.6.0.9

Service Packs

3.8.1

• Fixed issue in Flowable Design for model hierarchies with extensive use of nested forms with many parent forms

• Fixed issue with disabled state of “Complete” buttons until task form is valid

• Fixed tenant ID option when creating an user account

• Fixed lookup of default tenant for conversations and contact filters

Open source dependency version: 6.6.0.10

3.8.2

• Added support to synchronize historic process instance data based on runtime data

• Added support for HTML messages in Engage Compliance view

• Improved support for task local variables in Elasticsearch indexes

Upgrade note: We highly recommend upgrading to Flowable 3.8.2 (6.6.x) as it provides significant performance improvement for historic data handling. Furthermore, if you are seeing the error message “Job is not applicable for transformer types” in your logs, then in some circumstances it is important to upgrade to Flowable 3.7.7 or Flowable 3.8.2 and contact Support.

An additional REST call is provided to ensure history and runtime data are in sync for a process instance:

POST to /platform-api/platform-management/historic-process-instances/{processInstanceId}/synchronise

Open source dependency version: 6.6.0.11

3.8.3

• Fixed issue with validation for outcome buttons on Action model forms

• Fixed issue with export of cancelActivity for boundary event registry events

• Fixed issues with the form upload control when uploading new content versions or deleting invalid content

• Fixed issue with duplicated claim buttons in case views

• Fixed issue with Flowable Engage JMS listeners not starting correctly after deploying an inbound channel model and restarting the server

• Fixed empty form payload when form saved and completion was the next action

• Fixed issue with the date picker control autoformatting on keyboard entry

• Fixed issue with $temp variable creation when using $temp. prefixes in task form fields

Open source dependency version: 6.6.0.11

3.8.4

• Improved performance for Flowable Design in multi tenant setups with default tenant models

• Fixed issue with ID values when copying multiple elements in Flowable Design

• Fixed save and cancel buttons being disabled when a form is in an invalid state

• Fixed inline outcome buttons in action dialogs to respect the ignore validations setting

Open source dependency version: 6.6.0.12

3.8.5

• Fixed issue if parent and root variables are the same when saving a form

• Fixed issue with the existing login cookie in Flowable Design when upgrading from 3.7 to 3.8.4

• Fixed issue with exporting custom form reference attributes for palette customizations

• Fixed issue importing apps with default tenant models in multiple tenants

Open source dependency version: 6.6.0.12

3.8.6

• Fixed regression for a multi-select form field on item object change in repeatable subforms

Open source dependency version: 6.6.0.12

3.8.7

• A regression fix is implemented to allow for sharing the parent form payload with a modal form payload for action buttons.

• A regression fix is implemented to support the flw.formatDate function with for example 'YYYY-MM-DD HH:mm' as it was in previous versions.

• A regression fix is implemented to have the same behaviour for the enabled state of outcome buttons in 3.8.7 as with 3.7.x versions.

Open source dependency version: 6.6.0.12

3.8.8

• Fixed issue where the definition key and other definition information like the name is not available anymore in the Elasticsearch index while completing tasks.

Open source dependency version: 6.6.0.13

3.8.9

• Fixed issues with date picker filling by keyboard

• Fixed issue with multi-instance plan items not being synchronized to the history table

• Fixed issue with historic task deletion when a historic case instance is deleted

• Improved speed of Flowable Control rest call for process definitions

• Fixed issues in list of definitions shown in Flowable Control

Open source dependency version: 6.6.0.14

3.8.10

• Fixed issues with data table infinite scrolling

• Fixed issue with persistent state of Inspect meta model

• Fixed issue in the Event Registry where "Start new instance only when no other instance already exists" only took into account the latest definition

• Fixed issue in evaluating Milestones / Stages having an expression for includeInStageOverview after case completion

Open source dependency version: 6.6.0.15

3.8.11

• Fixed issue with content items not being created on form submit for multi sub forms.

• Fixed issue with the selected option in a radio button getting lost when switching tabs in a form.

• Fixed issue with missing scope information when querying for historic task instances including identity links and variables on DB2 and MSSQL.

• Fixed issue with adding multi sub form entries on slow systems.

Open source dependency version: 6.6.0.16

3.8.12

• Improved the loading time of a big form definition with a large payload.

• Fixed issue with infinite scrolling with filtering happening server side.

• Fixed issue where a new multi sub form row caused another sub form row data to be removed.

• Added the option to ignore the version timestamp values for template deployments using the flowable.template.check-version-timestamp=false property.

• Fixed issue where the init variable task used a string type for an integer value.

Open source dependency version: 6.6.0.17

3.8.13

• Fixed issue where changes in the variable binding in a query url were not reflected in a data table.

• When a custom error message is sent by an Action bot, it is now shown in the action model when executing an action button.

• Performance improvements in the form engine to reduce the amount of properties that are evaluated at load time and improve the logic to go through all possible properties.

Open source dependency version: 6.6.0.17

3.8.14

• Fixed issue where not every keystroke was registered in a large form with nested sub forms.

• Fixed issue where a REST button was not working correctly in a button group.

• Fixed issue where a custom request parameter in a url caused the create dialog to not function correctly.

Open source dependency version: 6.6.0.17

3.8.15

This version fixes an important security issue and customers are advised to upgrade to this version immediately.

Without the fix included in this version, an RCE (Remote Code Execution) exploit might be possible. The RCE exploit is due to a vulnerability in the logging dependency. All information about it can be found here: Github Security Advisory

Affected products:

• Flowable Design default WAR distribution and Docker image version < 3.8.15
• Flowable Control default WAR distribution and Docker image version < 3.8.15
• Flowable Work default WAR distribution and Docker image version < 3.8.15
• Flowable Engage default WAR distribution and Docker image version < 3.8.15

Fix versions are also released for customers on other versions. Versions 3.10.6+, 3.9.10+ and 3.7.10+ contain the same fix.

In case it's not possible to upgrade immediately, the RCE exploit can be disabled by setting the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true or pass the log4j2.formatMsgNoLookups=true as system property

When not using the default distributables (for example in a custom Maven or Gradle project) you might be affected if you have added the log4j dependency to your project explicitly. For Maven, run mvn dependency:tree | grep log4j-core on the command line and make sure the version is 2.15.0 or higher. If not, upgrade the dependency in your configuration to minimally 2.15.0.

Other fixes in this version:

• Fix issue when navigating to a task from the sub items page element in the custom case view.

• Fix issue with retrieving content items that are being stored as a serializable variable type.

• Fixed issue where the add button of a multi sub form was not working.

• Fixed issue where it was not possible to configure a link in a rich text field in the form engine.

• Fixed issue with unnecessary border styling for multi sub forms.

Open source dependency version: 6.6.0.18

3.8.16

Contains log4j version 2.17.0, which fixes two additional security vulnerabilities. See the dedicated page around the Log4Shell vulnerability for more information

Open source dependency version: 6.6.0.18

3.8.17

• Added interceptor interface (ControlInterceptor) to Flowable Control that can be used to implement audit logic for changes made through Control such as updating a variable value or doing a new deployment.

• Added onEvent functionality to the form engine which can be used for adding specific logic to the form handling, more information is available here https://documentation.flowable.com/latest/forms/basic-events

• Added support for 2 new history levels in the BPMN engine with "instance" and "task". Instance history level only stores the process instance entry in the historic process instance table. The task level adds the user tasks to the historic tables. So no activity, variable or other information will be stored, by default, in the historic tables.

• Added support for defining a case definition specific history level in Flowable Design and Platform.

• Added support for 2 new history levels in the CMMN engine with "instance" and "task". Instance history level only stores the case instance entry in the historic case instance table. The task level adds the human tasks to the historic tables. So no plan item instance, variable or other information will be stored, by default, in the historic tables.

• Added support for defining which activity elements in a BPMN and CMMN definition should be included in the historic tables when using an "instance" or "task" history level.

• Added support for defining which variables in a BPMN and CMMN definition should be included in the historic tables when using an "instance" or "task" history level.

• Added support for running Flowable Work without Elasticsearch with setting the following property value to false: flowable.indexing.enabled.

There are limitations when running Flowable Work without Elasticsearch:

• Reporting is not supported (this uses Elasticsearch queries).
• The platform-api/search REST services are not supported as they require Elasticsearch.
• Conversations and messages (Flowable Engage) are not supported.

• Flowable Control has been changed to query the runtime tables for CMMN and BPMN instances and tasks when querying for active instances.

• Spring boot has been upgraded to 2.3.12.RELEASE

Open source dependency version: 6.6.0.20