XNAT 1.9.0 Release Notes
XNAT 1.9.0 represents a major effort to update foundational libraries and dependencies on which XNAT is built. The motivation for this effort is to move toward compliance with a SOC2 security audit. To that end, the XNAT team conducted its own codebase analysis against known CVEs, and discovered 133 addressable findings, which are classified as follows:
Critical Risk: 43
High Risk: 72
Medium / Low / Unknown: 18
Of these findings, here is how we adjudicated the actual risk to XNAT:
False Positive: 88
Mitigated: 39
Acceptable Risk: 6
However, even for those CVEs that we deemed a “False Positive”, in most cases we performed an update anyway – either to address another CVE, or simply to avoid the perception of an issue that false positives can create.
Our approach to addressing these fell into three categories:
Updating the dependency library and the code that uses it
Removing the library entirely for deprecated classes and elements
Migrating dependencies out of XNAT core and into a plugin
The third approach was reserved for the XNAT Pipeline Engine, which has now been fully deprecated as of XNAT 1.9.0. Those institutions that still depend on pipelines for their processing execution can install the newly created Pipeline Engine Plugin. Since this plugin does contain documented instances of dependencies with known CVEs, please use with appropriate caution.
Related Documentation:
For a full list of dependency updates, please see XNAT 1.9 Dependency Updates
For plugin development documentation related to these updates, see Updating Plugins for Changes in XNAT Dependencies
Other Updates
As part of the dependency update to the ehcache library, additional possibilities related to configuring and enabling distributed caching have been unlocked. However, this set of functionality is not expected to be fully fleshed out until a future release.
This release comes packaged with minor updates to the DicomEdit 6.7 library – dependency changes for compatibility as well as performance improvements and a couple of critical bugfixes in handling of the lists feature introduced in DE 6.6. Updates are listed in the DicomEdit 6.7 Release Notes.
In addition, a series of minor bugfixes and improvements were included in this release, including:
XNAT-8094: Improve project selection and deselection in custom form configuration UI
XNAT-8075: Fix display bug when sharing a subject with a large number of experiments
XNAT-8143: Allow for longer history objects in CT scan tables. Note that this has a known issue in implementation that we have published a manual hotfix for.
Known Plugin Compatibility Issues
Plugin / Version | Compatibility Notes | Planned Fix |
|---|---|---|
Container Service 3.4.x – 3.5.0 | Not supported in XNAT 1.9 | Version 3.6.0
|
DQR 2.0.x | Not supported in XNAT 1.9 | Version 2.1.0
|
XSync 1.7.0 | Not supported in XNAT 1.9 | Version 1.8.0
|
XNAT-OHIF 3.6.3 | Not supported in XNAT 1.9 | Version 3.7.0 |
Batch Launch 0.6.0 |
| Version 0.6.0 can be run with the Pipeline Engine Plugin installed Version 0.7.0 has been released to run without the dependency on the Pipeline Engine |
LDAP Auth 1.1.0 |
| |
OpenID Auth 1.3.1 |
| |
JupyterHub Integration 1.2.0 |
|
Partially Supported
SupportedPlugin Deprecation Notice for ML & Datasets
Coinciding with this release, we are deciding to officially deprecate the ML and Datasets plugins. This was a difficult decision, considering that the XNAT ML and Datasets plugins were the result of more than a year’s intensive development that began with a demo challenge partnering with NVIDIA for RSNA 2019. However, support for AI and ML work in XNAT continues in other forms, via the JupyterHub Integration and the ability to connect the XNAT OHIF Viewer to AI-Assisted Annotation devices.
See: Full ML & Datasets Plugin Deprecation Announcement and Instructions