Chainguard targets Java’s unpatched vulnerability backlog with drop-in remediated libraries
Chainguard has launched generally available CVE remediation for Java libraries, starting with the Spring Boot ecosystem. The offering lets teams swap vulnerable libraries for Chainguard-remediated drop-in versions by updating a single pom.xml reference. Remediated packages use a new version identifier with a -0.cgr.N suffix, making them appear clean to vulnerability scanners and auditors. Each package ships with an SBOM and provenance attestation, and is recognized by Wiz, AWS Inspector, Grype, and Trivy. The solution targets the growing backlog of unpatched CVEs in end-of-life Java frameworks — Spring Boot 2.7, for example, carries 143 unpatched CVEs — giving organizations a fourth option beyond security exceptions, DIY backports, or disruptive version upgrades.
