Skip to main content

Flowable 3.9.x Release Notes

Initial release 3.9.0, March 25, 2021

Important

Due to a potential RCE (Remote Code Execution) security exploit in the Spring framework, customers using the out-of-the-box WAR artifacts for Design/Control/Work/Engage are urgently advised to upgrade to version 3.9.14 immediately. See the dedicated page around this vulnerability for the latest information.

Introduction

The Flowable product comprises:

  • Flowable Work, a process and case management platform with an out-of-the-box user interface.
  • Flowable Engage, built on top of Flowable Work, adding conversations and external connectivity to WeChat, Whatsapp and others.
  • Flowable Design, a modeling environment to create BPMN, CMMN, DMN, Form and other model types that run in Platform/Work/Engage.
  • Flowable Control, an administration tool that can be used to manage the Flowable Platform / Work / Engage environments.
  • Flowable Inspect, a debugging and test component that can be used with Flowable Work and Engage.

These products are built on top of the Flowable Open Source project which can be found at Github.

Documentation

The Flowable Open Source project also has extensive documentation available which can be found at https://flowable.org/documentation.html.

Highlights

Flowable Work Services

  • Add support to define a variable aggregation configuration on multi instance elements on BPMN activities and repetition CMMN plan item definitions. A new collection variable can be constructed and variables and expressions can be defined to create the item objects in the collection.

  • Added support for method overloading in JUEL / backend expressions. The method lookup logic now takes into account the parameter types to find the correct method. This for example can be used in expressions with JSON objects using the Jackson API like ${myJsonObject.put('test', 1)}.

  • The Flowable Database Configuration property has been enhanced to support creating multiple properties for a given namespace + name + tenantId combination. Additionally it also supports setting an owner (through identity links).

  • Added support for using a request body in DELETE REST API calls in the service registry engine.

Flowable Work User Interface

  • Added support for user favourites in data tables. Each user can store the state of a data table with filtering, sorting, column ordering and column sizing in a user favourite and make it available as the default config for that table for a user or make it available as a quick link so it's easily accessible.

  • Improve support for multiple action buttons in different sub forms of a parent form. Action ids won't conflict with each other anymore.

  • When the dynamic values of an url changes for an autoexecute button it will be executed again, if the autoexecute expression evaluates to true.

  • The labs view to enable/disable features is only available when a feature flag labs is present.

  • Added option to disable the forms debug option with a feature flag disableFormsDebug.

  • The database content storage functionality can now be enabled with a property flowable.content.storage.type=db.

Flowable Engage

  • Added a Line adapter to support sending messages to and receiving messages from Line.

  • Added support for incoming messages to not update the unread count of conversation filters and added option to prevent a conversation for an incoming message to move to the top. This is mainly useful for digital agent or other system messages that don't need the attention of Engage users.

  • Added support for sending and receiving images for WeChat.

  • The conversation message box can be disabled when the conversation has a tag that is configured with the flowable.frontend.engageReadOnlyTags property. Also the alwaysLoadConversation feature flag needs to enabled to make sure the conversation tags are loaded on every conversation click.

Flowable Design

  • Added support for defining more than one tag on a model. Previously it was only possible to define one tag. It's also possible to search on models with a one or more tags in the list views.

  • When locking a model, the latest state for that model will be retrieved to make sure that the Design user always works with the latest model state.

  • Improved performance of opening models within apps that have a lot of model references.

  • Improved the handling of large model repositories with paging.

Flowable Control

  • Added a system information section that shows environment info and job info. In the environment info view information about the DB connection pool, the license, memory usage, logging config and more is shown. In the job info view the async, timer and history job information is shown, together with the task and async executor information.

  • In the environment info view the functionality to change the DB connection pool settings like max pool size is added.

  • In the job info view the it's possible to change the async executor configuration for the BPMN, CMMN and history async executors.

  • Added a license check for Flowable Control. There's a new property to set the license check to be database based with: flowable.control.app.db-store-enabled=true. When the database based license check is used, then the license needs to be uploaded via the settings menu available in the left bottom of Flowable Control. There's also the option to use file based license checks, similar to Flowable Design. A license with Flowable Control or Flowable Design or Flowable Work or Flowable Engage is needed to make the license check work in Control.

Upgrade information

  • The ServiceInvocationBuilder#invoke() method has a new type (ServiceInvocationResultResponse) that will contain the mapped values. In case you need to access the result returned by the low level service invoker you can get a hold of it through ServiceInvocationResultResponse#getServiceInvocationResponse.

  • Due to the changes for the ConfigurationProperty the ConfigurationService#createConfigurationPropertyBuilder(String, String) will always create a new property. Review your usages and change the updates to ConfigurationService#createUpdateConfigurationPropertyBuilder(String).

Database changes

  • The unique constraint FLW_UQ_CON_PROP_TENANT_NS_NAME from the FLW_CONFIGURATION_PROPERTY table has been removed and has been replaced with a normal index FLW_CON_PROP_NS_NAME_TENANT on the namespace, name and tenant id.

  • The type of the NAME_ column from the FLW_CONFIGURATION_PROPERTY table has been changed from varchar(64) to varchar(255)

Spring Boot

  • Base Spring Boot version should be upgraded to at least 2.4.4

Open Source Artifacts Dependency Compatibility

Releases of Flowable Design, Work and Engage use versions of the open source Flowable dependencies that have not yet been published publicly on the Maven Central repository. These 'bugfix releases' can be retrieved by customers using the customer Flowable Maven repository credentials.

These versions contain fixes and have been QA'ed with the 3.9.0 release. It's advised to upgrade your open source dependendencies to the 'compatible' version mentioned below (and mentioned in the subsequent Service Packs section)

Open source dependency version: 6.6.1.12

Service Packs

3.9.1

  • Fixed issue with manually typing in a date with defined date formatting e.g. DD.MM.YYYY.

  • Fixed issue with migrating existing model tags in Flowable Design from a version before 3.9.0.

  • Solved issue with slow loading job views in Flowable Control with improved definition loading.

  • Fixed issue with importing edoras one models with a property using an expression with [[myExpression]] syntax.

Open source dependency version: 6.6.1.12

3.9.2

  • Added support for passing variables when sending signal events to a case instance.

  • Fixed issue for event registry start events with the configuration that only one instance can exist for a defined correlation key. Now all definition versions are taken into account instead of only the latest definition version.

  • Fixed issue where values are incorrectly mapped from String to Long in the service registry engine.

  • Fixed issue with duplicate entries using infinite scrolling for data tables on a slow network.

  • Fixed issue with the service registry task not storing the result in the output variable name when no output parameters are defined.

  • Added support for hasValue and fixed issue with missing nested values in document templates with Aspose.

  • Fixed issue with emojis not getting displayed correctly on Windows for emojis that are not available as part of the Windows operating system.

  • Fixed issue with unlocking work model types in Flowable Design.

  • Fixed issue with multi instance plan items not getting synchronized to the history tables.

  • Fixed issue with historic task instances not getting deleted when deleting an historic case instance.

  • Entity links are not created anymore for non-blocking process and case tasks in a CMMN model.

  • Fixed issue with parameter types not getting exported correctly for Service Registry models linked to Data Object models.

  • Upgraded Spring Boot from version 2.4.4 to 2.4.6.

Open source dependency version: 6.6.1.14

3.9.3

  • Improved the user details update to not include all identity variables by default like __flowablePresence. This prevents possible conflicts when doing batch user updates.

  • Conversations will be made editable / read-only when a Whatsapp timeout or client message is sent. Also when the conversation is currently viewed in Flowable Engage.

  • Fixed an issue where content items were not created when used in multi sub forms.

  • Fixed issue where output parameters were not processed when there are no DB results found with service registry calls. A new property flowable.tasks.service-registry has been added to keep ignoring no DB results when necessary.

  • Added support for expressions for data table favorites.

  • Fixed issue where data table favorites added for collapse panels were not shown when expanding the panel again.

  • Fixed issue with infinite scrolling with filtering happening server side.

  • Fixed issue where a new multi sub form row caused other sub form row data to be removed.

  • Fixed issue where tab deletion didn't work correctly in Flowable Design.

  • Full stacktrace information is now shown for deadletter jobs in the BPMN engine view in Flowable Control.

  • Fixed issue with the encoding of filenames with Chinese (double-byte) characters.

  • Added option to ignore the version timestamp values for template deployments with the flowable.template.check-version-timestamp=false property.

Open source dependency version: 6.6.1.16

3.9.4

  • Fixed issue with the repeat value not getting copied for timer jobs when a bulk insert on Oracle was used. This could cause a repeating timer to not repeat anymore.

Open source dependency version: 6.6.1.16

3.9.5

  • Fixed issue where a data table didn't show data when the favourite feature is disabled.

  • Fixed issue where changes in the variable binding in a query url were not reflected in a data table.

  • When a custom error message is sent by an Action bot, it is now shown in the action model when executing an action button.

Open source dependency version: 6.6.1.17

3.9.6

  • Added support for displaying new Whatsapp emojis on Windows.

  • Fixed issue where a REST button was not working correctly in a button group.

Open source dependency version: 6.6.1.17

3.9.7

  • Fixed issue where the new Whatsapp emoji's were not displayed correctly.

Open source dependency version: 6.6.1.17

3.9.8

  • Fixed issue with multi language text in an user event listener form.

  • Fixed issue with link modal disappearing when selecting in the rich text editor.

  • For the embedded mobile view in Flowable Engage, the attachment icon now follows the attachment feature flag.

  • Fixed issue with disconnecting websocket connection not setting the presence flag to offline.

  • Fixed issue where a custom request parameter in a url caused the create dialog to not function correctly.

  • The modal button text now supports multi language text.

Open source dependency version: 6.6.1.18

3.9.9

  • Fixed issue where the case view was showing a completed task in editable instead of read-only mode.

  • Fixed issue where the user in the list was not shown after deactivating the user in the contacts app.

  • Fixed issue with retrieving content items that are being stored as a serializable variable type.

  • Fixed issue with an ignored panel still changing the payload of a form.

  • Added two new FE functions to work with HTML and scripting content in forms:

    1. flw.sanitizeHtml(dirtyHtml) for sanitizing from XSS attacks any HTML string.
    2. flw.escapeHtml(html) for escaping any HTML to print it instead of rendering it on the DOM
  • Fixed issue where the add button of a multi sub form was not working.

  • Fixed issue with a data table breaking the layout when changing the column size.

Open source dependency version: 6.6.1.19

3.9.10

This version fixes an important security issue and customers are advised to upgrade to this version immediately.

Without the fix included in this version, an RCE (Remote Code Execution) exploit might be possible. The RCE exploit is due to a vulnerability in the logging dependency. All information about it can be found here: Github Security Advisory

Affected products:

  • Flowable Design default WAR distribution and Docker image version < 3.9.10
  • Flowable Control default WAR distribution and Docker image version < 3.9.10
  • Flowable Work default WAR distribution and Docker image version < 3.9.10
  • Flowable Engage default WAR distribution and Docker image version < 3.9.10

Fix versions are also released for customers on other versions. Versions 3.10.6+, 3.8.15+ and 3.7.10+ contain the same fix.

In case it's not possible to upgrade immediately, the RCE exploit can be disabled by setting the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true or pass the log4j2.formatMsgNoLookups=true as system property

When not using the default distributables (for example in a custom Maven or Gradle project) you might be affected if you have added the log4j dependency to your project explicitly. For Maven, run mvn dependency:tree | grep log4j-core on the command line and make sure the version is 2.15.0 or higher. If not, upgrade the dependency in your configuration to minimally 2.15.0.

Other fixes in this version:

  • Fixed issue where the distributed lock was not released properly.

Open source dependency version: 6.6.1.20

3.9.11

Contains log4j version 2.16.0, which fixes a second security vulnerability. See the dedicated page around the Log4Shell vulnerability for more information

Open source dependency version: 6.6.1.20

3.9.12

Contains log4j version 2.17.0, which fixes a third security vulnerability. See the dedicated page around the Log4Shell vulnerability for more information

Open source dependency version: 6.6.1.20

3.9.13

  • Added interceptor interface (ControlInterceptor) to Flowable Control that can be used to implement audit logic for changes made through Control such as updating a variable value or doing a new deployment.

  • Added onEvent functionality to the form engine which can be used for adding specific logic to the form handling, more information is available here https://documentation.flowable.com/latest/forms/basic-events

  • Added support for 2 new history levels in the BPMN engine with "instance" and "task". Instance history level only stores the process instance entry in the historic process instance table. The task level adds the user tasks to the historic tables. So no activity, variable or other information will be stored, by default, in the historic tables.

  • Added support for defining a case definition specific history level in Flowable Design and Platform.

  • Added support for 2 new history levels in the CMMN engine with "instance" and "task". Instance history level only stores the case instance entry in the historic case instance table. The task level adds the human tasks to the historic tables. So no plan item instance, variable or other information will be stored, by default, in the historic tables.

  • Added support for defining which activity elements in a BPMN and CMMN definition should be included in the historic tables when using an "instance" or "task" history level.

  • Added support for defining which variables in a BPMN and CMMN definition should be included in the historic tables when using an "instance" or "task" history level.

  • Flowable Control has been changed to query the runtime tables for CMMN and BPMN instances and tasks when querying for active instances.

  • Fixed issue with a repeating timer event listener with an available condition creating multiple parallel timer jobs.

  • Spring boot has been upgraded to 2.4.13

Open source dependency version: 6.6.1.24

3.9.14

Open source dependency version: 6.6.1.24