LabKey · github-actions · Jun 11, 2025 · May 28, 2025 · Jun 2, 2025 · Jun 3, 2025
diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
@@ -185,4 +185,36 @@
         <packageUrl regex="true">^pkg:maven/org\.labkey\.api/labkey-client-api@.*$</packageUrl>
         <cve>CVE-2019-3913</cve>
     </suppress>
+
+    <!-- False positive - mxparser is not XStream -->
+    <suppress>
+        <notes><![CDATA[
+    file name: mxparser-1.2.2.jar
+    ]]></notes>
+        <packageUrl regex="true">^pkg:maven/io\.github\.x-stream/mxparser@.*$</packageUrl>
+        <cpe>cpe:/a:xstream:xstream</cpe>
+    </suppress>
+
+    <!-- False positives - bzip2 from a different source -->
+    <suppress>
+       <notes><![CDATA[
+       file name: bzip2-0.9.1.jar
+       ]]></notes>
+       <packageUrl regex="true">^pkg:maven/org\.itadaki/bzip2@.*$</packageUrl>
+       <cve>CVE-2019-12900</cve>
+    </suppress>
+    <suppress>
+       <notes><![CDATA[
+       file name: bzip2-0.9.1.jar
+       ]]></notes>
+       <packageUrl regex="true">^pkg:maven/org\.itadaki/bzip2@.*$</packageUrl>
+       <cve>CVE-2010-0405</cve>
+    </suppress>
+    <suppress>
+       <notes><![CDATA[
+       file name: bzip2-0.9.1.jar
+       ]]></notes>
+       <packageUrl regex="true">^pkg:maven/org\.itadaki/bzip2@.*$</packageUrl>
+       <cve>CVE-2005-1260</cve>
+    </suppress>
 </suppressions>
diff --git a/gradle.properties b/gradle.properties
@@ -121,7 +121,7 @@ commonmarkVersion=0.24.0
 
 # the beanutils version is not the default version brought from commons-validator and/or commons-digester
 # in the :server:api module but is required for some of our code to compile
-commonsBeanutilsVersion=1.10.1
+commonsBeanutilsVersion=1.11.0
 commonsCodecVersion=1.18.0
 commonsCollections4Version=4.5.0
 commonsCollectionsVersion=3.2.2

diff --git a/server/configs/application.properties b/server/configs/application.properties
@@ -58,6 +58,7 @@ context.encryptionKey=@@encryptionKey@@
 #context.additionalWebapps.firstContextPath=/my/webapp/path
 #context.additionalWebapps.secondContextPath=/my/other/webapp/path
 
+#context.externalModules=/path/to/external/modules/dir
 #context.requiredModules=
 #context.pipelineConfig=/path/to/pipeline/config/dir
 #context.serverGUID=

diff --git a/server/embedded/src/org/labkey/embedded/LabKeyServer.java b/server/embedded/src/org/labkey/embedded/LabKeyServer.java
@@ -441,6 +441,8 @@ public static class ContextProperties
         private String contextPath = "";
         private String pipelineConfig;
         private String requiredModules;
+        /** Path to external modules directory */
+        private String externalModules;
         private boolean bypass2FA = false;
         private String serverGUID;
         private Integer httpPort;
@@ -586,6 +588,16 @@ public void setRequiredModules(String requiredModules)
             this.requiredModules = requiredModules;
         }
 
+        public String getExternalModules()
+        {
+            return externalModules;
+        }
+
+        public void setExternalModules(String externalModules)
+        {
+            this.externalModules = externalModules;
+        }
+
         public boolean isBypass2FA()
         {
             return bypass2FA;

diff --git a/server/embedded/src/org/labkey/embedded/LabKeyTomcatServletWebServerFactory.java b/server/embedded/src/org/labkey/embedded/LabKeyTomcatServletWebServerFactory.java
@@ -175,6 +175,11 @@ protected TomcatWebServer getTomcatWebServer(Tomcat tomcat)
                 {
                     context.addParameter("requiredModules", contextProperties.getRequiredModules());
                 }
+                if (contextProperties.getExternalModules() != null)
+                {
+                    // We've long supported configuring this via a system property so propagate the value
+                    System.setProperty("labkey.externalModulesDir", contextProperties.getExternalModules());
+                }
                 if (contextProperties.getPipelineConfig() != null)
                 {
                     context.addParameter("org.labkey.api.pipeline.config", contextProperties.getPipelineConfig());