One of the benefits of the Tanzu Platform is that it allows you to understand if your organization is at risk in case your Git repositories are using particular versions of Spring libraries that are not under OSS or commercial support.

It is neither straightforward nor instantaneous to resolve which of your Spring projects are directly or indirectly affected because your application dependencies are out of support. Tanzu Platform provides a global view across all your Git repositories giving you insight into which Spring dependencies are out of support. By connecting Spring Application Advisor with Tanzu Platform, you can also upgrade those Spring dependencies to a supported version and secure your application.

The following provides you the steps to integrate Spring Application Advisor and set up Tanzu Platform to continuously analyze your repositories connected your CI/CD pipelines.

Understanding support for a Spring project

To understand the support status of a particular Spring project, see https://spring.io/projects/. Click a Spring project to see the support window for the available minor versions. For example, click Spring Boot > Support, to see the support window for the minor versions for Spring Boot.

At the end of enterprise support for a particular version, for example, Spring Boot 2.6.x, there won’t be more patch versions available that fix new vulnerabilities. Therefore, if you do not upgrade the Spring dependencies, your services might be exposed to those vulnerabilities.

At the end of OSS support for a particular version for example, Spring Boot 2.7.x, there won’t be more patch versions available from the OSS community. Therefore, applications will be exposed to vulnerabilities unless they adopt the new patch versions of the Enterprise Maven repository or they upgrade to the supported OSS version of Spring.

Connect Spring Application Advisor

Connect the Spring Application Advisor to Tanzu Platform to continuously analyze your repositories connected to your CI/CD pipelines and upgrade out of support dependencies.

Do the following to connect Spring Application Advisor to Tanzu Platform:

1. Create an access token to connect Spring Application Advisor to the Tanzu Platform.
2. Connect the Spring Application Advisor to Tanzu Hub using the access token.
3. Integrate the Spring Application Advisor CLI in the CI/CD pipeline.

Identify Git repositories with unsupported Spring dependencies

After you have connected Spring Application Advisor to Tanzu Platform, you can review the status of the Spring dependencies in your Git repositories.

1. On Tanzu Platform, go to Developer Tools > Repositories.

   

2. In the table view,

   1. See the Out of Support column.

      Rows that have a positive number identify repositories that are using unsupported Spring libraries.

   2. See the Libraries with Vulnerabilities column.

      The number indicates the number of identified vulnerabilities, indicating a risk if you do not upgrade.

3. Click on a row to see a summary view of the Git repository.

4. In the Git repository view, click Libraries to see the dependencies that are not under support, have vulnerabilities, and the support window for each dependency.

   All the libraries whose value under Commercial Support Remaining is NA are not under support.