Mitigation after Spring Boot 2.7 EOL – Spring

The Problem:

Spring Boot 2.7 EOL is approaching, and companies need to find a way to continue receiving updates and support for their applications built with this version. Upgrading to Spring Boot 3.0 is not a feasible option in the immediate future. Will adding a dependency to the Spring Framework BOM in conjunction with "org.springframework.boot:spring-boot-dependencies:2.7.x" in the project provide an effective mitigation strategy until the upgrade to Spring Boot 3.0 can be completed? Consider that this approach would only cover vulnerabilities addressed in Spring Framework 5.3, leaving numerous other dependencies within "spring-boot-dependencies" that would require manual updates.

The Solutions:

Solution 1: Staying with Spring Boot 2.x/Spring Framework 5.y

Approach:

If you’re unable to upgrade to Spring Boot 3.0 and Spring Framework 6 right away, you can continue using Spring Boot 2.7 and Spring Framework 5.y. This option allows you to keep using your existing codebase while still being able to receive security updates and bug fixes.

Benefits:

No major code changes are required.

You can still receive security updates and bug fixes for Spring Boot 2.7 and Spring Framework 5.y.

Drawbacks:

You’ll eventually need to migrate to a newer version of Spring Boot and Spring Framework.

You won’t be able to take advantage of new features and improvements in newer versions of Spring Boot and Spring Framework.

Solution 2: Migrate to Spring Boot 3.0 and Spring Framework 6

Approach:

If you’re ready to make the switch, you can migrate your project to Spring Boot 3.0 and Spring Framework 6. This option will give you access to the latest features and improvements in Spring Boot and Spring Framework, as well as security updates and bug fixes.

Benefits:

You’ll be able to take advantage of new features and improvements in Spring Boot 3.0 and Spring Framework 6.

You’ll receive security updates and bug fixes for Spring Boot 3.0 and Spring Framework 6.

Drawbacks:

You’ll need to make changes to your codebase to migrate to Spring Boot 3.0 and Spring Framework 6.

There may be some compatibility issues with third-party libraries that you’re using.

Solution 3: Switch to Commercial Support

Approach:

If you need continued support for Spring Boot 2.7 and Spring Framework 5.y beyond their end-of-life dates, you can purchase commercial support from SpringSource. This option will give you access to security updates, bug fixes, and technical support from SpringSource engineers.

Benefits:

You’ll receive continued support for Spring Boot 2.7 and Spring Framework 5.y beyond their end-of-life dates.

You’ll have access to security updates, bug fixes, and technical support from SpringSource engineers.

Drawbacks:

You’ll need to pay for commercial support.

You’ll still need to migrate to a newer version of Spring Boot and Spring Framework eventually.