This repository patches old versions of Spring with a few specific backports to cover CVE-2022-229651 ("SpringShell") and CVE-2022-229502.
It compiles a set of patched files derived from a fork of the
upstream Spring Framework repository3. These live in the
spring/ directory of each version.
It then overlays those files on top of their equivalent servicemix bundle, to create a new servicemix bundle with an altered version. The exception is Spring 3.1, which did not have a servicemix bundle; in that case it simply creates a new version of the org.springframework:spring-* jar.
It avoids using the maven-bundle-plugin to make sure the contents
are as close to the original jars as possible, instead relying
simply on unpacking dependencies with the maven-dependency-plugin,
and then re-packing them up with the maven-assembly-plugin and
forcing it to re-use the existing manifest.
These exist (mostly) for OpenNMS to satisfy transient dependencies in some Karaf features that haven't been forced into being uplifted to new Spring versions yet, and ideally are primarily rarely executed codepaths.
Please do not take these builds as an endorsement for any kind of production use. In fact, I would argue that you should not take these builds at all, regardless of how you'd like to use them. :)