{"id":23478398,"url":"https://github.com/opennms/opennms-spring-patched","last_synced_at":"2025-04-13T17:00:15.557Z","repository":{"id":76996248,"uuid":"518895805","full_name":"OpenNMS/opennms-spring-patched","owner":"OpenNMS","description":"Tools to Create Patched Versions of Spring Maven Dependencies","archived":false,"fork":false,"pushed_at":"2022-07-28T21:38:45.000Z","size":93,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":9,"default_branch":"main","last_synced_at":"2025-02-16T08:13:14.094Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OpenNMS.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-07-28T15:16:20.000Z","updated_at":"2024-04-10T16:29:02.000Z","dependencies_parsed_at":null,"dependency_job_id":"56daaf7e-8ee4-4e9f-8885-4d727d676f3e","html_url":"https://github.com/OpenNMS/opennms-spring-patched","commit_stats":null,"previous_names":["opennms/opennms-spring-patched"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenNMS%2Fopennms-spring-patched","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenNMS%2Fopennms-spring-patched/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenNMS%2Fopennms-spring-patched/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenNMS%2Fopennms-spring-patched/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OpenNMS","download_url":"https://codeload.github.com/OpenNMS/opennms-spring-patched/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248750078,"owners_count":21155685,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-24T19:19:17.073Z","updated_at":"2025-04-13T17:00:15.518Z","avatar_url":"https://github.com/OpenNMS.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Spring Dependencies with (limited) CVE Backports\n\nThis repository patches old versions of Spring with a few specific\nbackports to cover CVE-2022-22965[^2] (\"SpringShell\") and\nCVE-2022-22950[^3].\n\nIt compiles a set of patched files derived from a fork of the\nupstream Spring Framework repository[^1]. These live in the\n`spring/` directory of each version.\n\nIt then overlays those files on top of their equivalent servicemix\nbundle, to create a new servicemix bundle with an altered version.\nThe exception is Spring 3.1, which did not have a servicemix bundle;\nin that case it simply creates a new version of the\norg.springframework:spring-* jar.\n\nIt avoids using the `maven-bundle-plugin` to make sure the contents\nare as close to the original jars as possible, instead relying\nsimply on unpacking dependencies with the `maven-dependency-plugin`,\nand then re-packing them up with the `maven-assembly-plugin` and\nforcing it to re-use the existing manifest.\n\n# Disclaimer\n\nThese exist (mostly) for OpenNMS to satisfy transient dependencies\nin some Karaf features that haven't been forced into being\nuplifted to new Spring versions yet, and ideally are primarily\nrarely executed codepaths.\n\nPlease do not take these builds as an endorsement for any kind of\nproduction use. In fact, I would argue that you should not take\nthese builds at all, regardless of how you'd like to use them. :)\n\n[^1]: https://github.com/opennms-forge/spring-framework\n[^2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-22965\n[^3]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-22950\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopennms%2Fopennms-spring-patched","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopennms%2Fopennms-spring-patched","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopennms%2Fopennms-spring-patched/lists"}