Engine and Engine Dispatch 22

Engine and Engine Dispatch 22.25.415

Released 2025-02-14

Bug Fixes

Fixes "System data access is not enabled" error when querying xAPI statements with the V2 API's "GetRegistrationStatements" endpoint when SystemDatabaseEnabled is configured to 'false' (rare).

Dispatch Fixes

Remove description sub-claim from LTI resource_link claims to prevent 431 "Request Header Fields Too Large" error on resource link launches
Fixes bug with LTI dispatches where a status of 'undefined' was sent on a relaunch when no status had been set during a previous session

Engine and Engine Dispatch 22.24.410

Released 2025-01-03

Improvements

Improved performance for the GetRegistrationStatements endpoint
Added new 'admin:subscription' scope for allowing a credential to manage subscriptions without requiring full 'admin' scope

Bug Fixes

Resolved timing issue with cmi5 on SQL Server that could result in statements rejected with "Forbidden cmi5 allowed statement: session not active" error
Removed a few regular expressions in the client-side player Javascript that were flagged as a potential vulnerability by static scans
VideoJS now has the same periodic progress save mechanism that was introduced in 22.23.403 for the native video player
Fixed issue with Engine's logging support page when using signed launch links (missing 'jwt' on request)
Fixed subscription notifications not working when the number of subscriptions exceeds the API results limit

Engine and Engine Dispatch 22.23.403

Released 2024-11-01

Improvements

Added new "PluginStorageExpirationProcessor" background processor to clean up expired Content Vault records. Disabled by default
Added periodic progress saving for media content
Improves performance of the user counting queries

Bug Fixes

Fixes edge case with media content where completion was reached but the status was not able to be updated even after relaunching

Dispatch Improvements

Dispatch pages now use the "onpagehide" handler instead of "onunload" to work around Chrome deprecating the unload handlers

Engine and Engine Dispatch 22.22.392

Released 2024-10-04

Bug Fixes

Added experimental setting, X_DisableScormToTinCanInteractions, to disable creation of xAPI statements for SCORM interactions if using the SCORM-to-TinCan processor.

Engine and Engine Dispatch 22.21.390

Released 2024-08-29

Bug Fixes

[Upgrade Tool] - When upgrading from LWS Engine to Engine 22, suppress validation on its historical schema to prevent unnecessary upgrade failure.

Engine and Engine Dispatch 22.20.388

Released 2024-08-19

Bug Fixes

Improved handling for xAPI courses that use "stateId" parameter values that exceed 255 characters
[.NET Only] Updated BouncyCastle dependency for the following CVEs: CVE-2024-30172, CVE-2024-30171, CVE-2024-29857
[.NET + PostgreSQL Only] Updated Npgsql dependency for CVE: CVE-2024-32655

Improvements

Engine will now create an xAPIActivityId for a non-xAPI-based course by using a randomly generated GUID rather than hashing the contents of the course package
Added Tenant ID and Pipe ID to statement pipe exception log messages
The Partitioned attribute is now set on all Secure and SameSite=None cookies as per CHIPS guidelines

Dispatch Changes

Bug Fixes

For content dispatched as LTI, we now avoid clearing the completion status on relaunch when score is set but completion is not set during the launch

Engine and Engine Dispatch 22.19.376

Released 2024-05-17

Bug Fixes

[Upgrade Tool] Fixes xAPI file system documents for pre-2015 upgrades

Improvements

Required configs for LTI 1.3 connectors are now validated on connector creation (LtiConsumerIdentifier, LtiBaseUrl, LtiPlatformIssuer, RemoteDeliverPageUrl); failing the validation causes the connector creation to fail, with a 400 response
[Java Only] Updated to the latest BouncyCastle (for RSA key handling) and JodaTime (for date/time handling), prompted by a CVE report, even though it did not impact our usage
[Java Only] Provide option to avoid using Fork Join Pool for memory cache loaders

Engine and Engine Dispatch 22.18.372

Released 2024-03-08

Bug Fixes

Fixes 401 errors on TinCan preview launches
[Java Only] Updated commons-compress dependency to 1.26.0 for CVE-2024-25710, a potential for an infinite loop, and bumped other "commons" jars it depends on as well

Engine and Engine Dispatch 22.17.369

Released 2024-02-15

Bug Fixes

Fixes issue which caused PII Deletion jobs to fail on large datasets
Fixes error when downloading the course zip for AICC courses
Fixes issue with getting the course asset list for AICC courses
[Java Only] - Updated Jackson Databind to latest version to resolve CVE-2023-35116.
[Java Only] - Updated ESAPI to resolve vulnerability.
[Java Only] - Fixes logging date pattern warning in database installer tool

Engine and Engine Dispatch 22.16.365

Released 2024-01-26

Bug Fixes

Fixes bug where large xAPI documents (not a common thing) would linger in the object store after the associated record was deleted
[Offline Extension] Fix error with Javascript generated for configurationJS value

Engine and Engine Dispatch 22.15.359

Released 2024-01-12

Bug Fixes

Fixes failed GetImportJobStatus, GetRefreshJobStatus, and GetPIIDeletionJob requests for jobs that took place on versions below Engine 22
[.NET Only][Offline Extension] Fixes malformed playerConfigurationUrl.json file for offline course zip generated on .NET

Improvements

Better error reporting for PII deletion job failure

Engine and Engine Dispatch 22.14.352

Released 2023-12-14

Bug Fixes

Fix bug with statement pipes that are configured to use the rusticiRewrite parameter

Improvements

Made previously internal /about/registrationCount API endpoint available. Only useful if using Engine 22 for the entire license period being retrieved.
Creating a registration launchLink now returns a 400 status if any additionalValues pairs have an empty item name (previously would cause an error on launch)

Engine and Engine Dispatch 22.13.347

Released 2023-12-08

Bug Fixes

External ID delimiter validation fixed for legacy integration customers

Improvements

[Java Only] Updated logback-core to 1.3.14 for CVE-2023-6378

Engine and Engine Dispatch 22.12.343

Released 2023-11-13

Bug Fixes

Added missing language resource files for Czech, Romanian, Slovak, and Ukrainian

Improvements

[Java Only] Engine will now include an updated mime.types file so that files uploaded to S3 during import will use correct mime type in more cases
[Java Only] Updated dependency org.owasp.esapi for GHSA-7c2q-5qmr-v76q (which did not impact Engine since we are not using getFileUploads)
Rollup triggered by the X_RollupOnTerminate setting (SCORM 2004 only) will now cause an immediate post of data to Engine rather than waiting for the normal commit interval.
Engine will no longer collapse whitespace in SCORM Resource entry href values to prevent issues where this causes the course to not launch (very rare edge case). Note: there is a setting to revert this behavior if needed.

Engine and Engine Dispatch 22.11.334

Released 2023-10-23

Bug Fixes

Fixes API migration bug associated with increasing the MaxRowsPerDatabaseUpsert setting
Fixes missing FirstAccessDate on first "RegistrationChanged" subscription notification

Engine and Engine Dispatch 22.10.329

Released 2023-10-11

Bug Fixes

Fixed issue for Vimeo courses where final state was not sent if the tab/window was closed directly instead of using the media player Close button
Fixes rare sequencing error in SCORM 2004 4th Edition courses
[Upgrade Tool] - Fixes schema audit failure and constraint violations associated with certain table upgrades

Improvements

Added property validation against creating single-statement xAPI pipes

Engine and Engine Dispatch 22.9.321

Released 2023-9-29

Bug Fixes

[Java Only] Updated Apache Commons Compress to latest version which resolves CVE-2023-42503
[.NET Only] Updates Oracle.ManagedDataAccess from 19.14.0 to 19.18.0

Improvements

Added checks for delimiters in ids to prevent issues at runtime
Added new subtopics to RegistrationChanged: "RunTimeActivityCompletionChanged" and "RunTimeActivitySuccessChanged"

Dispatch Changes

Bug Fixes

Resolved http 500 response getting list of dispatches by course or by destination
Removed nonce claim from LTI 1.3 tool-originating access token request

Improvements

Added new setting LtiIgnore404CreatingLineItemForScore to allow Engine to ignore 404 errors from LTI platforms rejecting "score"

Engine and Engine Dispatch 22.8.305

Released 2023-08-16

Bug Fixes

Bookmarking is now used on relaunch of a Tin Can course even if tracking is disabled
Fixes exceptions for SCORM-to-xAPI statement generation when SCORM interactions do not provide an interaction type
Send content-type of application/vnd.ims.lis.v2.lineitem+json when creating an LTI 1.3 A&G line item
Fixes error when calling UpdateEncryptedSettings endpoint and local source xAPI Pipes are present
Fixes error when calling UpdateCredential endpoint when specifying the EngineTenantName request header
[Java Only] Avoid a 500 response when URLs with bad escape sequences in the querystring are passed to Engine
[Java Only] Fixed a bug where the DatabasePassword setting was not read properly (this is a mostly unused setting)
[Offline Extension] Fix issue with PlayerShowFinishButton being overridden to 'false' for all offline launches

Improvements

LTI 1.1 Basic Outcomes request no longer returns an error when including charset in the Content-Type request header
Course id will now be included in importJob results even when the import fails (previously it only appeared if the course was successfully imported)
Added type validation for the additionalMetadata property on course imports
Improve performance when using statement pipes and multiple Engine instances are attempting to process pipes under heavy load
Better logging when Dispatch Request returns an empty error message
Adds new TenantWebHookAdditionalHeaders setting to allow setting of additional webhook headers at the tenant level. Renames WebHookAdditionalHeaders to SystemWebHookAdditionalHeaders (though original name will still work as an alias).

Engine and Engine Dispatch 22.7.272

Released 2023-06-30

Bug Fixes

Fixes missing CompletionDate in "CompletionChanged" notification payload
Fixes issue when using isDryRun parameter on import and including additionalMetadata
Fixes issue with "package properties" migration for pre-2015 Engine and row-copy upgrades
[Java Only] Updated guava to latest release (32.0.1-jre), which resolves CVE-2023-2976 (that did not impact Engine)
[Java Only] Updated jackson to the latest release (2.15.2), and suppressed the warning for disputed CVE-2023-35116 that does not impact Engine
[Java Only] Updated bouncycastle to the latest release (1.74) to resolve CVE-2023-33201
[Java Only] Prevents 500 error response when request to the LRS include url parameters without a value (e.g, url?myparam versus the normal url?myparam=myvalue)

Improvements

Added a new setting PreviousApiTokenSecret so that ApiTokenSecret can be changed without breaking existing tokens

Engine and Engine Dispatch 22.6.261

Released 2023-05-26

Bug Fixes

Fixes an issue where "Activated Background Processor" logs would sometimes appear twice on start-up
Webhooks now only log failures on INFO for initial and final attempts
Webhooks now truncate the message body printed in the log to the value of WebHookTruncateLoggedMessageBody
XapiGetAuthority exchange only triggers if typical xAPI auth mechanisms fail, rather than before they run
Webhook errors are now logged on the "Warning" level
Fixes PII deletion jobs for customers that upgraded from LWS Engine
Fixed AICC score logic to handle spacing around commas
Fixed bug in LTI 1.3 launch when EnableExternalIdEncryption was configured to true
[Java Only] Updates Jackson libraries to 2.15.1 with improved hardening against Uncontrolled Resource Consumption

For Java customers using SQL Server 2016 (or higher) that are using a JNDI resource for your connection: please make sure you are using Microsoft JDBC version >= 12.2.x and add the `datetimeParameterType` property with a value of `datetime` to your connection string.

Improvements

Course preview now works for LTI 1.3 launches
Fixes 404 errors caused by course packages that were compressed on a macOS

Engine and Engine Dispatch 22.5.246

Released 2023-04-14

Bug Fixes

Fixes an issue where exiting the SCORM player by closing the window could lead to results not being rolled up properly on Firefox
Improves performance when ScormToTinCanHistorical is active
Fixes a bug where ScormToTinCan would not work properly if set through the BackgroundProcessors setting
Creating a subscription no longer erroneously requires setting the "timeoutMS" property
[Java Only] Fixes import and runtime error for TinCan courses that contain certain technically invalid characters in the activity ID's host name that previously would have been allowed in older Engine versions
[Java Only] Fixes CVE-2020-8908 by updating guava
[.NET; MySQL only] - Fixed launch error caused by missing db param type
[Java Only] Fixes issues with datetime and datetime2 comparison for SQL Server versions 2016+.

For Java customers using SQL Server 2016 (or higher) that are using a JNDI resource for your connection: please make sure you are using Microsoft JDBC version >= 12.2.x and add the `datetimeParameterType` property with a value of `datetime` to your connection string.

Improvements

Performance improvement for media content launches to reduce initial load time
Added a isDryRun boolean to the ImportJobResultSchema
Webhooks will not trigger when isDryRun is true on the import request

Engine and Engine Dispatch 22.4.225

Released 2023-03-01

Bug Fixes

Encrypts Subscription Auth configuration's 'Secret' property before storing it in the db
Fixes RecordResults error with UseDeltaRecordResultsPayload when PlayerCaptureHistory is disabled
Fixed an issue where the SubscriptionAuth cache didn't invalidate properly
[Upgrade Tool] - Fixes missing "reporting heuristics" settings after Package Properties migration
[Java Only] Updated commons-fileupload for CVE-2023-24998 (Denial of service from malicious upload)

Improvements

Exchanges will now throw an exception if they receive properties which don't map onto their schema, rather than ignoring them
Better logging for failed exchange requests
Minor performance improvement in our XML processing

Engine and Engine Dispatch 22.3.189

Released 2023-02-03

Bug Fixes

Fixes preview launch failures
Fixes issues around Subscription/AuthConfig look-ups when SystemDatabaseEnabled is set to 'false'
Fixed a bug in which launching an AICC course with ContentVaultEnabled set to 'true' could result in an improper course content url (404 Status)
[.NET Only] Fixes NewtonSoft dependency conflict in the database upgrade tool

Improvements

Removed exit confirmation alert window from media content player when clicking the Close button
Moved launch history expiration to a background process (performance improvement for systems using this feature)
Improves media content player UI controls for PDF courses accessed on mobile devices (small screens)
Engine now rejects values for `BackgroundProcessors` with identical `instance` values or `processor` values within an instance

Dispatch Changes

Improvements

Engine now puts the course description (if there is one) into the CRS file for AICC dispatch packages

Engine and Engine Dispatch 22.2.155

Released 2023-01-11

Bug Fixes

Fixes rare bug in which custom style sheets for media courses fail to load during player initialization
Have PIIDeletionJob remove learner id from new UsageStatistics table
Better error message when cmi5 course manifest has invalid or missing publisher ids
The body of Webhook event messages now are not formatted to aid in HMAC calculations

Improvements

LocalCacheExpiryMilliSeconds setting for registration-level caches will use the `configuration` expiry as a default rather than the general default value if one has been set
Some performance improvements for Exchange type Webhook subscription processing
Some performance improvements in situations where Engine is creating and saving xAPI statements itself (e.g., the 'launched' statement)

Released 2022-12-19

New and Improved Web Hooks

We’ve added new APIs for subscribing to event notifications in Engine, including status updates for course imports and learner registrations. These will replace the existing postback systems with one that is more consistent, customizable, and extensible.

We’ve also added what we call “exchanges,” which let Engine ask an external system for information. The first available exchange is for getting the authority for xAPI statements (a custom authentication mechanism, basically).

More notifications and exchanges will follow, with the goal of replacing old-style, pre-API Engine integrations and providing greater flexibility to all integrations.

Background Process Management

Engine has a number of tasks that it performs in the background while also handling API requests and learner launches. Now there’s a way to specify whether or not these processes should be handled by each instance of Engine. That way, some app servers can be dedicated to API requests and learner launches, while a different set handles things like xAPI statement forwarding or sending queued import and registrations event notifications.

Custom Course Metadata

Previously, the only information that Engine kept track of about courses was whatever was included in their manifest files. Now Engine users can save any information they like, such as skills or product categories, and retrieve them later for use in other systems. Essentially, at import time the API call can provide an arbitrary JSON object with data in it that will be saved as an additionalMetadata property in the course details.

Dispatch Changes

Dispatch and Destination Level Configuration

Engine now supports a configuration endpoint in the API for Dispatches and Destinations. This allows you to override player and course-related settings for specific destinations or individual dispatches.

As well, there are two new settings meant to be used at these levels: DispatchTitle and DispatchDescription. These settings allow you to override the title and description that will be written into the dispatch stub package downloaded from Engine.

Note: There are a number of potentially breaking changes in Engine 22. If you are upgrading from an older Engine please check out this document for details on those.