How to fetch the CVE report of a commercial release of spring boot
Article ID: 373477
Updated On:
Products
Issue/Introduction
Tanzu Spring Runtime product is a commercial subscription that includes multiple benefits on top of the value that the Spring open source projects and ecosystem provide. For Spring Boot minor versions that have entered Commercial support and are no longer under OSS support, commercial patch releases are made available through a Spring Enterprise Subscription, our Spring artifact repository. This article provides steps to fetch the CVE report of a commercial release.
Resolution
1. Identify the target version
Let's take an example of the version 2.7.19.
2. Compose a URL with the base, https://enterprise.spring.io/projects/spring-boot/changelog/ and the version, 2.7.19
The URL combined is https://enterprise.spring.io/projects/spring-boot/changelog/2.7.19
3. Open this URL in browser and look for “Spring Framework”.
Here is the result of spring boot v2.7.19.
4. Review the release notes in https://spring.io/.
We can leverage Google to quickly pinpoint the target.
In this example, the keywords would be “site:spring.io Spring Framework 5.3.32”.
By following the search result, Spring Framework 6.1.4, 6.0.17 and 5.3.32 Available Now, we are redirected to the release notes of Spring Framework 5.3.32 where the CVEs are listed.
Feedback
