Chainguard targets Java’s unpatched vulnerability backlog with drop-in remediated libraries

Chainguard targets Java’s unpatched vulnerability backlog with drop-in remediated libraries

Legacy Java shops are sitting on a growing pile of unpatched vulnerabilities. Chainguard says it has a fix for that.

This week, the company announced that Chainguard Libraries for Java is generally available, adding CVE remediation to its secure software supply chain offering. The company is starting with the Spring Boot ecosystem, backporting fixes for critical and high-severity CVEs across spring-boot, spring-framework, spring-security, and h2database. Dozens of CVEs have been remediated at launch, the company says.

More hostile environments, more vulnerabilities

The threat environment has grown significantly more hostile. AI-assisted scanning tools are generating vulnerability reports at a rapid pace.

“AI tools are now scanning open source projects at a rate that produces hundreds of new security reports each month,” writes Ross Gordon, Staff Product Marketing Manager at Chainguard, in a blog post. “Spring received 482 new reports in April 2026 alone.”

That exposes a potentially painful problem for the 90% of Fortune 500 companies that rely on Java for core systems. Many of those organizations are using older framework versions - Spring Boot 2.7, for example, reached end of life in November 2023 and carries 143 CVEs across 79 projects, none of them patched upstream, the company says.

Three options

Engineering teams are left with three options, Gordon explains:

• They could try to get an exception from their security team to use the library. However, this doesn’t make them any safer and doesn’t solve the risk problem at hand.
• They could try to backport CVE fixes themselves. However, this takes hours and doesn’t scale across teams using the same vulnerable library across hundreds of applications and APIs.
• They could try upgrading to a newer version that addresses the critical CVEs. However, upgrading can take months (sometimes even a year) and prevents the team from building new product functionality that drives revenue. Like option two, it also doesn’t scale, as each team needs to upgrade to major versions while ensuring their applications don’t break in the process.

A fourth path

Chainguard is offering a fourth path, Gordon explains. Teams swap their vulnerable library for a Chainguard-remediated version by updating a single reference in their pom.xml file. The remediated package includes a backported fix and ships under a new version identifier with a -0.cgr.N suffix, so the artifact appears clean to vulnerability scanners and auditors rather than flagging as a patched vulnerable version.

That distinction matters for audit purposes, Gordon says. Competing approaches that layer a patch on top of the original library leave the original version identifier visible to scanners, creating an awkward paper trail of a known CVE with a manual modification sitting on top of it.

Each remediated package ships with an SBOM and provenance attestation. Wiz, AWS Inspector, Grype, and Trivy all recognize Chainguard’s remediated Java libraries, with additional scanner support planned. The Chainguard console surfaces which CVEs are addressed in a given version, which other versions carry the same backported fix, and links to advisory details. Remediated versions are also accessible through Chainguard’s public VEX feed.

Staying secure

Chainguard’s solution is that teams can stay secure at their current version while completing the upgrade on their own schedule, without the pressure of known critical CVEs forcing a rushed migration. For organizations managing hundreds of applications across multiple teams, the ability to apply a remediated drop-in without coordinating parallel upgrades could represent risk reduction at scale.

Supply chain security has become one of the hot battlegrounds in enterprise software, and Chainguard has been among the more aggressive vendors expanding its coverage. The company built its initial reputation around hardened container images. Extending that posture into the Java library ecosystem, specifically targeting Spring Boot across the Fortune 500, signals an intent to address vulnerability debt further up the dependency stack.

Finally, Ross adds, “This announcement is specific to Chainguard Libraries for Java. More broadly, Chainguard Libraries is a secure catalog of JavaScript, Python, and Java dependencies that replaces an engineering team’s reliance on npm, PyPI, and Maven Central. Today, Chainguard Libraries for JavaScript (like our other languages) provides multiple layers of security controls, including building from source, cooldowns, malware and greyware scanning, and custom block policies.”

Chainguard Libraries for Java is available now.