core/src/main/java/se/su/dsv/scipro/workerthreads/AbstractWorker.java

@@ -1,9 +1,6 @@
 package se.su.dsv.scipro.workerthreads;
 
 import jakarta.inject.Inject;
-import jakarta.inject.Provider;
-import jakarta.persistence.EntityManager;
-import jakarta.persistence.EntityTransaction;
 import java.util.Date;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -58,6 +55,22 @@ public abstract class AbstractWorker implements Worker {
              * Do manually transaction-handled work
              */
             try {
+                // When the switch from Guice to Spring happened all workers became singletons
+                // because that's the default in Spring. In Guice they were "prototype" scoped
+                // and therefore the worker object was re-created before each execution which
+                // reset the successfulWorker field to true.
+                //
+                // Now that they're singletons the field is never reset to true after a
+                // failure and the worker will be stuck in a failed state even after a
+                // subsequent successful run.
+                //
+                // TODO:
+                //  In the future this flag should be removed and any execution that does
+                //  not throw an exception should be considered successful.
+                //  If a worker needs to signal a non-exception as a failure that should
+                //  be an internal matter and not something the scheduler should consider.
+                setSuccessfulWorker(true);
+
                 doWork();
             } catch (RuntimeException ex) {
                 LOGGER.info("Worker {} threw an exception", getClass().getSimpleName());

core/src/main/xsd/daisy_api.xsd

@@ -75,6 +75,8 @@
         <xs:sequence>
             <xs:element name="level" type="educationalLevel" minOccurs="1">
             </xs:element>
+            <xs:element name="courseCredits" type="xs:decimal" minOccurs="0">
+            </xs:element>
             <xs:element name="department" type="serializableUnit" minOccurs="1">
             </xs:element>
         </xs:sequence>
@@ -615,6 +617,8 @@
             </xs:element>
             <xs:element name="break" type="xs:boolean" minOccurs="1">
             </xs:element>
+            <xs:element name="reparticipant" type="xs:boolean" minOccurs="1">
+            </xs:element>
             <xs:element name="inactive" type="xs:boolean" minOccurs="1">
             </xs:element>
             <xs:element name="userName" type="xs:string" minOccurs="0">

daisy-integration/src/main/java/se/su/dsv/scipro/io/impl/ExternalExporterDaisyImpl.java

@@ -2,9 +2,8 @@ package se.su.dsv.scipro.io.impl;
 
 import jakarta.inject.Inject;
 import jakarta.ws.rs.core.Response;
+import java.math.BigDecimal;
 import java.util.Calendar;
-import java.util.HashMap;
-import java.util.Map;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import se.su.dsv.scipro.daisyExternal.http.DaisyAPI;
@@ -13,7 +12,6 @@ import se.su.dsv.scipro.io.dto.*;
 import se.su.dsv.scipro.io.exceptions.ExternalExportException;
 import se.su.dsv.scipro.project.Project;
 import se.su.dsv.scipro.reusable.SciProUtilities;
-import se.su.dsv.scipro.system.DegreeType;
 import se.su.dsv.scipro.system.Unit;
 import se.su.dsv.scipro.system.User;
 
@@ -23,14 +21,6 @@ public class ExternalExporterDaisyImpl implements ExternalExporter {
 
     static final int MAX_TITLE_LENGTH = 255;
     private static final int DSV = 4;
-    private static Map<DegreeType, EducationalLevel> classMap = new HashMap<>() {
-        {
-            put(DegreeType.NONE, EducationalLevel.UNKNOWN);
-            put(DegreeType.BACHELOR, EducationalLevel.FIRST_CYCLE);
-            put(DegreeType.MAGISTER, EducationalLevel.SECOND_CYCLE);
-            put(DegreeType.MASTER, EducationalLevel.SECOND_CYCLE);
-        }
-    };
 
     private final DaisyAPI api;
 
@@ -82,7 +72,21 @@ public class ExternalExporterDaisyImpl implements ExternalExporter {
     }
 
     private EducationalLevel toDaisyLevel(Project project) {
-        return classMap.get(project.getProjectTypeDegreeType());
+        return switch (project.getProjectTypeDegreeType()) {
+            case NONE -> EducationalLevel.UNKNOWN;
+            case BACHELOR -> EducationalLevel.FIRST_CYCLE;
+            case MAGISTER -> EducationalLevel.SECOND_CYCLE;
+            case MASTER -> EducationalLevel.SECOND_CYCLE;
+        };
+    }
+
+    private static BigDecimal toDaisyCredits(Project project) {
+        return switch (project.getProjectTypeDegreeType()) {
+            case BACHELOR -> BigDecimal.valueOf(15);
+            case MAGISTER -> BigDecimal.valueOf(15);
+            case MASTER -> BigDecimal.valueOf(30);
+            case NONE -> null;
+        };
     }
 
     @Override
@@ -95,6 +99,7 @@ public class ExternalExporterDaisyImpl implements ExternalExporter {
         AddThesisAuthorCourse authorCourse = new AddThesisAuthorCourse();
         authorCourse.setLevel(toDaisyLevel(project));
         authorCourse.setDepartment(department);
+        authorCourse.setCourseCredits(toDaisyCredits(project));
 
         AddThesisAuthor addThesisAuthor = new AddThesisAuthor();
         addThesisAuthor.setCourse(authorCourse);

owasp.xml

@@ -72,4 +72,22 @@
         </notes>
         <cve>CVE-2024-23076</cve>
     </suppress>
+    <suppress>
+        <notes>
+            https://nvd.nist.gov/vuln/detail/CVE-2024-49203
+            https://github.com/querydsl/querydsl/issues/3757
+
+            Basically if you allow untrusted user input to be used in the "ORDER BY" clause
+            you can be vulnerable to SQL injection.
+
+            I believe this is nonsense and akin to saying every Java application has a
+            security vulnerability because JDBC allows you to execute arbitrary SQL if you
+            do not properly use PreparedStatement with parameters over a string-concatenated
+            Statement.
+
+            Even if this is considered a valid vulnerability we do not, currently, allow
+            untrusted user input to be used in the "ORDER BY" clause.
+        </notes>
+        <cve>CVE-2024-49203</cve>
+    </suppress>
 </suppressions>