Spaces:
Paused
CIA Project End-of-Life (EOL) Strategy
Overview
The CIA Project will maintain its existing stack, utilizing javax.* dependencies and Vaadin 8, without transitioning to Jakarta namespaces. The project will reach EOL when compatibility with the latest JVM requires a Jakarta migration. Below is a structured plan to ensure stability, compatibility, and security until that point.
This strategy should be considered alongside the Financial Security Plan and Architecture Documentation to understand the full technical context.
EOL Objective
Primary Goal: Maintain the CIA project on its current stack without migrating to Jakarta namespaces, ending support only when essential updates require this shift.
For the current feature set that will be maintained under this strategy, see the CIA Features page.
Jetty 10 to Jetty 12 Transition Plan
- Current Web Server: The project currently uses Jetty 10.
- EOL for Jetty 10: Scheduled for 2026 (endoflife.date).
- Potential Move to Jetty 12: Jetty 12 supports both
javax.servletand Jakarta namespaces and has an EOL of 2028. Migrating to Jetty 12 would allow the CIA project to remain compatible with future JVMs while avoiding an architectural transition to Jakarta.
See README.md - Deployment Options for deployment considerations.
Ongoing Maintenance Strategy
JVM Compatibility
- JVM Monitoring: Regularly evaluate compatibility with new JVM versions.
- EOL Trigger: The project will officially end when updates require Jakarta namespaces for continued compatibility.
Dependency Updates
- Automated Minor and Security Updates: Dependabot and similar tools will manage minor updates and security patches across core libraries, including:
For security implementation details, see the Financial Security Plan.
π ISMS Policy Governance
The ongoing maintenance strategy aligns with Hack23 AB's ISMS-PUBLIC framework to ensure systematic security management throughout the platform lifecycle.
Maintenance Activities by ISMS Policy
| π‘οΈ ISMS Policy | π§ Maintenance Activity | π Implementation |
|---|---|---|
| Change Management | Jetty 10 β Jetty 12 migration planning Jakarta namespace evaluation |
Risk-assessed transition with testing Documented migration path |
| Vulnerability Management | Automated security patching Dependency updates via Dependabot |
Weekly vulnerability scans 30-day patch SLA for critical issues |
| Asset Register | EOL tracking for dependencies Technology stack monitoring |
Documented component lifecycle Replacement planning for EOL tech |
| Business Continuity Plan | Platform availability during transitions Rollback procedures |
Multi-AZ deployment maintenance Tested recovery procedures |
Security Assurance:
- β All dependency updates security-vetted through WORKFLOWS.md automated scanning
- β Version compatibility tested before production deployment
- β Security patches prioritized per Vulnerability Management policy
- β EOL components tracked in Asset Register
Related Documentation:
- π ISMS Compliance Mapping - Lifecycle security controls
- π‘οΈ Security Architecture - Current security implementation
- π§ Workflows - Automated security checks
Vaadin 8 UI Layer
- Current UI Strategy: Continue using Vaadin 8 to avoid the costs and major structural changes of migrating to Vaadin 10+.
- Licensing Note: Vaadin 8 reached EOL for open-source use, so commercial support is available but optional.
For UI component details, see README.md - Technology Stack.
Final EOL Condition
The CIA project will be designated as EOL and archived in a read-only state when it can no longer function on the latest JVM without adopting Jakarta namespaces.
For the future vision of the platform that may supersede this version, see the Future Architecture Mindmap.
Project Technology Stack
For a conceptual overview of how these components interact, see the System Mindmap.
| Category | Technologies | EOL |
|---|---|---|
| Core Framework | Spring Framework 5.x | August 31, 2024 |
| Security | Spring Security, Bouncy Castle | Aligns with Spring 5.x |
| Data Access | Hibernate, JPA, PostgreSQL, JDBC | Hibernate 5.x: Ended; PostgreSQL 16: Nov 2028 |
| Transaction Management | Narayana | Active |
| Data Auditing | Javers | Active |
| Business Rules Engine | Drools | Active |
| Messaging | ActiveMQ Artemis, Spring JMS | Active |
| Web/UI Layer | Vaadin 8, Vaadin Sass Compiler | Reached EOL; commercial support available |
| Web Server | Jetty 10.x (Potential future move to Jetty 12) | Jetty 10 EOL: 2026; Jetty 12 EOL: 2028 |
| Monitoring | JavaMelody, AWS SDK for CloudWatch | Active |
| Testing | JUnit, Mockito, Spring Test, Selenium WebDriver | JUnit 4: Legacy; JUnit 5 & Mockito Active |
| Utilities | Apache Commons, Google Guava, SLF4J, Logback, Jackson | Active |
| Build & Dependency Management | Maven | Active |
Notes
- Security Focus: Prioritize security updates for dependencies in Spring Security, Logback, and Bouncy Castle.
- Documentation: See each dependency's documentation for details and licensing options, as summarized on endoflife.date.
Related Documentation
- README - Project overview and quick links
- Architecture Documentation - Current system architecture
- Financial Security Plan - Security implementation details
- Future Architecture Vision - Long-term roadmap
- CIA Features - Feature showcase with screenshots
- Project Documentation - Comprehensive developer resources
- Threat Model - Lifecycle risk and residual threat alignment