https://github.com/opennms/opennms-spring-patched
Tools to Create Patched Versions of Spring Maven Dependencies
https://github.com/opennms/opennms-spring-patched
Last synced: about 1 year ago
JSON representation
Tools to Create Patched Versions of Spring Maven Dependencies
- Host: GitHub
- URL: https://github.com/opennms/opennms-spring-patched
- Owner: OpenNMS
- License: apache-2.0
- Created: 2022-07-28T15:16:20.000Z (almost 4 years ago)
- Default Branch: main
- Last Pushed: 2022-07-28T21:38:45.000Z (almost 4 years ago)
- Last Synced: 2025-02-16T08:13:14.094Z (over 1 year ago)
- Language: Java
- Size: 90.8 KB
- Stars: 0
- Watchers: 9
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Spring Dependencies with (limited) CVE Backports
This repository patches old versions of Spring with a few specific
backports to cover CVE-2022-22965[^2] ("SpringShell") and
CVE-2022-22950[^3].
It compiles a set of patched files derived from a fork of the
upstream Spring Framework repository[^1]. These live in the
`spring/` directory of each version.
It then overlays those files on top of their equivalent servicemix
bundle, to create a new servicemix bundle with an altered version.
The exception is Spring 3.1, which did not have a servicemix bundle;
in that case it simply creates a new version of the
org.springframework:spring-* jar.
It avoids using the `maven-bundle-plugin` to make sure the contents
are as close to the original jars as possible, instead relying
simply on unpacking dependencies with the `maven-dependency-plugin`,
and then re-packing them up with the `maven-assembly-plugin` and
forcing it to re-use the existing manifest.
# Disclaimer
These exist (mostly) for OpenNMS to satisfy transient dependencies
in some Karaf features that haven't been forced into being
uplifted to new Spring versions yet, and ideally are primarily
rarely executed codepaths.
Please do not take these builds as an endorsement for any kind of
production use. In fact, I would argue that you should not take
these builds at all, regardless of how you'd like to use them. :)
[^1]: https://github.com/opennms-forge/spring-framework
[^2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-22965
[^3]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-22950