Skip to content

Introduce EOL notifications to the spring boot gradle and maven plugins #45043

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
asaikali opened this issue Apr 9, 2025 · 1 comment
Open

Introduce EOL notifications to the spring boot gradle and maven plugins #45043

asaikali opened this issue Apr 9, 2025 · 1 comment
Labels
for: team-meeting An issue we'd like to discuss as a team to make progress status: waiting-for-triage An issue we've not yet triaged

Comments

@asaikali
Copy link

asaikali commented Apr 9, 2025
edited by philwebb
Loading

Given the pace of development in the spring projects, and the EOL support polices, it is hard for developers to know if they are using an EOL library in thier application. The maven spring boot and gradle plugins should warn developers if they are building a spring boot apps that is using EOL libraries.

When invoking the gradle and maven plugins, the plugin checks the version number of every jar under the org.springframework group ids to produce a report showing which jars are EOL but are in commercial support, which jars are beyond commercial support windows. If a jars is within 4 weeks of OSS EOL a warning should be included in the report. The report should be printed to the console.

The plugin can have warn and enforce modes, with the default being warn. In warn mode, the plugin simply prints out a report, in enforce mode the plugin fails the build.

For large organizations with mature Platform Engineering teams looking to aggregate these warning centrally, the plugins should offer an option to centrally configure the behaviour of the plugin.

  • reporting webhook URL - the plugin performs an HTTP post with a JSON payload containing a report of the jars that are EOL along with the metadata about the project being built gathered from maven and gradle. The URL can be set on build jobs via SPRING_BOOT_EOL_WEBHOOK environment variable so that it can be turned on by platform engineering teams.
  • EOL mode - the plugin looks for an environment variable SPRING_BOOT_EOL_MODE which can have a value of enforce or warn based on this value the plugin can fail the build or not.

The enhancements proposed by the issue are very helpful for large organizations with central platform engineering teams looking to put guardrails in place to enforce dependency upgrades or nudge developers to upgrade in a timely fashion.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 9, 2025
@philwebb philwebb added the for: team-meeting An issue we'd like to discuss as a team to make progress label Apr 9, 2025
@dwelch2344
Copy link

This is super interesting. The Spring (via VMWare via Broadcom) is a CNA in the CVE project and we're actively working on the global solution for the industry. If something like this is added, will it take into account / work off those efforts?

Also, would love to discuss / hear from the Spring team's thoughts, either directly or in the Worker Groups.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
for: team-meeting An issue we'd like to discuss as a team to make progress status: waiting-for-triage An issue we've not yet triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dwelch2344 @philwebb @asaikali @spring-projects-issues