Snow Owl v10.1.0

Java Runtime

Starting from 10.1.0, Snow Owl requires Java 25 both compile and runtime. (#1483)

FHIR

• Support loading FHIR npm packages from official registries or through custom upload (#1503)
  • This is a Preview feature that will reach its final state in future releases
  • NOTE: this is a Pro feature that requires a license to test out
• SNOMED CT URI handling improvements to allow the generic base http://snomed.info/sct URI to be used in system and url arguments (#1497)
  • Response CodeSystems now properly set the url and version fields to their respective SNOMED URI values
• Support date parameter in CodeSystem and ValueSet validate-code and expand operations (#1500)
• Add back support for implicit SNOMED CT URLs in ValueSet$validate-code operations (#1505)
• Eliminate unnecessary calls to optimize FHIR operation performance by ~400% (#1505)

Security

• Mitigate security vulnerabilities CVE-2026-22732, CVE-2026-2950, CVE-2026-4800, CVE-2026-39363, CVE-2026-39364, CVE-2026-39365, CVE-2026-40175, CVE-2025-62718, GHSA-r4q5-vmmm-2653, CVE-2026-3505, CVE-2026-2332

Bugs/Improvements

• [config] rename emailClaimProperty to userIdClaimProperty in snowowl.yml configuration
• [config] remove old concrete domain model configuration options from snowowl.yml (#1488)
• [config] move MRCM configuration to resource settings to allow for per SNOMED CT Edition customization (#1495)
• [core] fail job scheduling if parameters cannot be serialized (#1481)
• [validation] simplify and fix validation rule80 implementation (#1504)
• [fhir] prevent deadlock when trying to fetch FHIR CapabilityStatement and serialize FHIR models in logs (#1492)
• [fhir] support storing and retrieving the caseSensitive property of FHIR CodeSystem (#1499)
• [ci] update mvn wrapper to 3.3.4
• [packaging] remove support for deb and rpm packaging (#1484)

Dependencies

• Bump Eclipse Platform to 2026-03 (e4.39)
• Bump EMF to 2.45.0
• Bump Xtext/Xtend to 2.42.0
• Bump Jetty to 12.1.8
• Bump SLF4J to 2.0.17 and Logback to 1.5.32
• Bump Groovy to 5.0.5
• Bump fhir-core to 0.6.0
• Bump bouncycastle to 1.83.0
• Bump swagger to 2.2.43
• Bump Spring to 6.2.17
• Bump Spring Security to 6.5.10
• Bump bucket4j to 8.17.0
• Bump Netty to 4.1.132.Final
• Bump commons-lang3 to 3.20.0
• Bump testcontainers to 2.0.4
• Bump rest-assured to 6.0.0
• Bump ASM to 9.9.1
• Bump assertj-core to 3.27.7
• Bump mockito to 5.21.0
• Bump bytebuddy to 1.18.5
• Bump Tycho to 5.0.2
• Bump Jacoco to 0.8.14

Snow Owl v10.0.0

Breaking changes

Concept Maps

The internal Concept Map domain representation in the paid version of Snow Owl has been rewritten to be more aligned with the official FHIR R5 specification.
Additionally the system has been improved to allow more precise map target definitions, noMap representations and workflow related information to be stored in the mappings.

Dropped support for Elasticsearch 7

Elasticsearch 7 reached EOL earlier this year and Snow Owl 10 is no longer able to connect to clusters running that version. Migrate your cluster to Elasticsearch 8 using one of the official ES guides and reconnect to them using the new Snow Owl version.
Please note that Elasticsearch 9 is not supported yet, that support will arrive in a feature version on the 10.x dev stream. See PR #1446 for more details.

Core

• Job API improvements

  • Support filtering based on the job key field (8ae90e8)

• Import API consolidation (#1449 and also paid version changes to ICD-10, LOINC and Local Codes)

  • For various healthcare standards their specified import API now follows the async semantics of the SNOMED CT RF2 Import API making it easier to implement scripts/clients against them in a generic way.

SNOMED CT

• Support * wildcard Accept-Language header values that resolve to any available description in case the preceeding accept values did not match anything (#1448)
  • Example use case: hu,* where * will match any other description if a concept does not a PT in Hungarian
  • This allows user interfaces and clients to display a concept term in all scenarios and not the identifier of the concept even if that term is from a different language
• Remove generation of Concept non-current (CNC) indicators when inactivating SNOMED CT Concepts in authoring scenarios (#1458)
  • Also remove the use of CNC indicators in any validation rule or business logic and replace it with checking the status of the corresponding concept
  • Handling of CNC indicators during concept reactivation has been kept to ensure that they become inactive in all use cases

Concept Map

• New, dynamic Excel/CSV Import API (paid tier)
  • Supports any format through column mapping from CSV like file
• New, CSV Export API (paid tier)
  • Exports all critical mapping information into a delimiter separate text file

Security

• Mitigate security vulnerabilities CVE-2025-66566, CVE-2025-68161, CVE-2025-12183, CVE-2025-15284, CVE-2025-62522, CVE-2025-64718, CVE-2025-13465, CVE-2026-2391, CVE-2026-25639, CVE-2026-26996, GHSA-xxh7-fcf3-rj7f, GHSA-72hv-8253-57qq (#1436, #1440, #1441, 9d60bf0, #1470)

Bugs/Improvements

• [index] resolve potential document revision duplication issue appearing after upgrading a codesystem to a newer dependency in certain special cases (#1450)
• [index] fixed an issue where scoring in nested queries did not propagate properly to the overall document score, resulting in zero or incorrect scores (#1434)
• [index] support refresh policy to be defined on a document level allowing the index refresh of certain documents to be deferred (#1471)
• [core] ensure that single value set members can be paged through the generic member search API when requested (a690ab4)
• [core] make query based resource URIs more resilient to special characters that appear often in expressions (#1469)
• [snomed] allow a smaller set of classification results to be retrieved from the API (#1467)
• [fhir] automatically generate CodeSystem.valueSet field URL value for SNOMED CT CodeSystems that can be implicitly resolved in an $expand operation (#1425)
• [build] restrict GitHub token access to read-only to disallow malicious PRs stealing key credentials or information (#1461)

Dependencies

• Replace embedded lz4-java with at.yawk.lz4:lz4-java:1.10.2
• Bump Jetty to 12.0.32
• Bump Jackson libraries to 2.21.1
• Bump ASM to 9.9.0

Snow Owl v9.8.1

Bugs/Improvements

• [index] enforce scoring requirement in Elasticsearch queries; prevent disabling when required (#1424)
• [core] make terminology resource dependency overrides null safe (#1427)
• [ci] improve build pipeline stability (#1431)
• [ci] make build notifications platform independent (4201b41)

Snow Owl v9.8.0

Core

• lexical concept suggester is now generally available (#1417, #1418)

  • This suggester uses an improved and accurate keyword matching strategy than the term suggester
  • Ensures that scores are always in the 0..1 range where 1.0 is usually an exact, high confidence match, while values closer to zero are less confident matches
  • In case matches would receive the same scores the system will sort them by term length, shorter to longer

• Restore some missing terminology resource upgrade related capabilities from 7.x (#1411)

  • Introduce upgradeInfo expandable property on upgradeOf scoped dependencies

• Job Schema Upgrades (#1417)

  • Add a type property that can be used to filter job types based on the executed request hierarchy
  • Job async execution context is now behaving the same as sync request execution context

SNOMED CT

• Improved namespace related information management in SNOMED CT CodeSystem resources (#1401)
  • namespace setting is the 7 digit namespace identifier assigned for a SNOMED CT Extension
  • namespaceConceptId are the actual conceptId holding the identifier in its description

Security

• Mitigate security vulnerabilities: CVE-2025-41248, CVE-2025-41249, CVE-2025-41242, CVE-2025-58751, CVE-2025-58752, CVE-2025-58754

Bugs/Improvements

• [index] support min_score clauses when executing an Elasticsearch query (bc9101f)
• [core] fixed an issue where invalid authentication token can bypass the authentication verification and can result in a HTTP 500 error later (e61d60a)
• [snomed] ensure that module dependency conflicts get auto-resolved during upgrades (#1402)
• [api] prevent empty dependencies array from materialization when retrieving a resource without selecting the dependencies field (4de14be)
• [api] resolve some OpenAPI specification consumption issues by improving the generated spec (#1404)
• [fhir] includeDesignations now properly returns all designations for a concept and also display proper labels for acceptability and type values (#1422)
• [build] exclude org.hl7.fhir and subpackages from jacoco code coverage (32589d4)

Dependencies

• Bump Jackson to 2.19.2
• Bump Spring to 6.2.11
• Bump Spring Security to 6.5.5
• Bump SpringDoc to 2.8.13
• Bump Swagger to 2.2.36

Snow Owl v9.7.2

Bugs/Improvements

• [index] resolve upgrade issue with no longer applicable revisions considered during revision compare (#1398)
• [core] additional term filter (regex, wildcard) infrastructure for request API implementors (#1397)
• [api] ensure that large zip files properly get uploaded without making them broken (#1394)
• [log] support JSON log formatting via logback logstash encoder (#1395)

Security

• GHSA-xffm-g5w8-qvg7, CVE-2025-7783, CVE-2025-48924, CVE-2025-22233, CVE-2025-41234 (#1400) and many others via Eclipse and Jetty upgrade (#1394)

Dependencies

• Eclipse Platform to 4.35 (2025-03)
• Bump Jetty to 12.0.21
• Bump EMF to 2.42.0
• Bump Xtext to 2.38.0
• Bump Bouncycastle to 1.80.0
• Bump SLF4J to 2.0.16 and Logback to 1.5.16
• Bump OWLAPI to 4.5.27.b2i and Protege to 5.0.8.b2i
• Bump fastutil to 8.5.16
• FHIR Core to 0.3.2
• Bump Spring to 6.2.9
• Bump Spring Security to 6.5.2
• Bump SpringDoc to 2.8.9
• Bump Swagger to 2.2.30
• Bump micrometer to 1.14.9
• Bump Apache Commong Lang3 to 3.18.0
• Bump AssertJ to 3.27.3

Snow Owl v9.7.1

Bugs/Improvements

• [snomed] fixed an issue where persisting certain changes from a server-side Groovy script could lead to missing authorization token issues (#1391)
• [snomed] fix an issue where exporting a SNOMED CT References to DSV format could result in incorrectly formatted export when a given concept does not have a value for a selected property (#1387)
• [snomed] fix a potential NPE when running validation rule 663 (#1389)
• [snomed] fixed an issue where old concrete data type reference set members were incorrectly imported to the system in case of invalid or missing data type to refsetId configuration (#1390)

Packaging

• Update base Docker image Ubuntu version to 24.04

Dependencies

• Bump embedded Elasticsearch to 7.17.28
• Bump Elasticsearch 8 client to 8.18.0
• Bump Jackson to 2.18.3
• Bump Spring to 6.2.6
• Bump Spring Security to 6.4.5
• Bump Spring Boot to 3.4.5
• Bump SpringDoc to 2.8.6
• Bump Swagger Jakarta to 2.2.29
• Bump micrometer to 1.14.5

Snow Owl v9.7.0

Java 21

This release changes the primary Java version from 17 LTS to 21 LTS. Release packages and docker images come with a pre-installed Eclipse Temurin build.

Bugs/Improvements

• [core] ensure that suggestion context considers only matching languages when determining search corpus (590fdb6)
• [api] prevent refreshing a token issued by another server (#1374)
• [api] ensure that proper response media type is present in SNOMED CT RF2 Export endpoint (c498a5d)
• [fhir] properly response with HTTP 400 when URL is not set in CodeSystem$validate-code (395abe7)
• [fhir] support two digit versions in $versions, _format and Accept header (#1382)
• [fhir] fixed an issue where submitting an R4 ConceptMap resulted in a no class def found error (962806e)

Security

• Mitigate CVE-2025-27152, CVE-2025-27789, CVE-2024-53382, CVE-2025-31486, CVE-2025-31125, CVE-2025-30208, CVE-2025-24010, CVE-2025-25193, CVE-2025-24970, CVE-2025-22223, CVE-2025-22228 security issues

Dependencies

• Add bouncycastle 1.77.0
• Bump Elasticsearch 8 client to 8.17.3
• Bump Groovy to 3.0.24
• Bump Spring to 6.2.5
• Bump Spring Security to 6.4.4
• Bump Netty to 4.1.119.Final
• Bump Apache Commons IO to 2.18.0
• Bump FHIR Core to 0.3.1
• Bump Tycho to 4.0.12

Snow Owl v9.6.0

Core

• Allow specifying and using multiple identity providers with the same type (#1364)
  • This allows system integrators to have multiple same type identity providers (e.g. file, ldap, jwks) in the snowowl.yml configuration file
  • Snow Owl will make sure that authorization headers coming from various identity providers will be properly recognized, even if there are other same type providers present in the system

Bugs/Improvements

• [index] ensure that stop_words are not included in the top token count when suggesting concepts (ef84836)
• [index] ensure the enum type field in document mapping does not produce JSON parse errors during confict detection (#1366)
• [core] ensure that min should match based term filtering in all APIs finds exact matches and prioritizes them over other matches (ad7ba13)
• [auth] introduce a read permission operation alias for browse (#1361)
• [auth] disallow token permission abuse when refreshing a previously generated API token (#1362)
• [auth] improve error message when trying authenticate without a kid token in a jwks provider (716c406)
• [auth] ensure that unprotected requests does not respond with HTTP 401 Unauthorized when the Authorization header contains an invalid value (#1368)

Snow Owl v9.5.2

Bugs/Improvements

• [core] add syntactic sugar getSync method for millisec based timeouts (c22cf5a)

Snow Owl v9.5.0

Core

• New, improved branch locking capabilities for more reliable lock management during transactions (#1353)

FHIR

• Support RFC7240 Prefer header (#1336)
  • Prefer handling=lenient and handling=strict are supported values
  • Default behavior is lenient to keep compatibility with older systems
• Improve compatibility with BCP-47 language tags (#1339)
  • Support the official SNOMED on FHIR BCP-47 private use language tag format

SNOMED CT

• Reintroduce and improved 7.x style SNOMED CT Reference Set to DSV exporter (Java API only) (#1349, #1351)

Security

• Mitigate CVE-2024-38821, CVE-2024-47764, CVE-2024-29025, CVE-2024-47535

Bugs/Improvements

• [core] fixed an issue where certain async executed requests would not propagate authorization information properly and resulted in missing authorization token errors (#1346)
• [snomed] prevent failing RF2 imports when an existing remote job document is too large for the current Elasticsearch sizing (#1344)
• [snomed] ensure that only RF2 Delta import generate actual visited component results in the remote job index (#1344)
• [snomed] exclude irrelevant axiom types when validation SNOMED CT content based on MRCM (#1342)
• [snomed] significantly improve performance of bulk SNOMED CT component inactivations by caching association refsets and skipping zero result query executions (#1350)

Dependencies

• Upgrade fhir-core to 0.2.0 (hl7.fhir.core 6.4.0)
• Upgrade Spring to 6.2.0
• Upgrade Spring Security to 6.4.1
• Upgrade SpringDoc to 2.7.0
• Upgrade Swagger libraries to 2.2.25
• Upgrade Netty to 4.1.115.Final
• Upgrade Tycho to 4.0.10