1.7. 将补丁应用到 Camel Spring Boot
使用新的 patch-maven-plugin 机制,您可以对 Red Hat Camel Spring Boot 应用程序应用补丁。这种机制允许您更改由不同红帽应用程序 BOMS 提供的各个版本,例如 camel-spring-boot-bom。
patch-maven-plugin 的目的是将 Camel on Spring Boot BOM 中列出的依赖项版本更新为您要应用到应用程序的补丁元数据中指定的版本。
patch-maven-plugin 执行以下操作:
- 检索与当前红帽应用 BOM 相关的补丁元数据。
- 将版本更改应用到从 BOMs 导入的 <dependencyManagement>。
在 patch-maven-plugin 获取元数据后,它会迭代声明插件的项目的所有受管和直接依赖项,并使用 CVE/patch 元数据替换依赖项版本(如果匹配)。替换版本后,Maven 构建将继续并通过标准 Maven 项目阶段进行。
流程
以下流程解释了如何将补丁应用到您的应用程序。
将
patch-maven-plugin添加到项目的pom.xml文件中。patch-maven-plugin的版本必须与 Spring Boot BOM 上的 Camel 版本相同。<build> <plugins> <<plugin> <groupId>com.redhat.camel.springboot.platform</groupId> <artifactId>patch-maven-plugin</artifactId> <version>${camel-spring-boot-version}</version> <extensions>true</extensions> </plugin> </plugins> </build>当您运行任何
mvn clean deploy,mvn validate, 或mvn dependencies:tree命令时,插件通过项目模块搜索,以检查模块是否使用 Red Hat Camel Spring Boot BOM。只有以下内容是支持的 BOM:-
com.redhat.camel.springboot.platform:camel-spring-boot-bom: 用于 Camel Spring Boot BOM
-
如果插件找不到上述 BOM,插件会显示以下信息:
$ mvn clean install [INFO] Scanning for projects... [INFO] ========== Red Hat Maven patching ========== [INFO] [PATCH] No project in the reactor uses Camel on Spring Boot product BOM. Skipping patch processing. [INFO] [PATCH] Done in 7ms =================================================
如果使用了正确的 BOM,则会找到补丁元数据,但不找到任何补丁。
$ mvn clean install [INFO] Scanning for projects... [INFO] ========== Red Hat Maven patching ========== [INFO] [PATCH] Reading patch metadata and artifacts from 2 project repositories [INFO] [PATCH] - redhat-ga-repository: http://maven.repository.redhat.com/ga/ [INFO] [PATCH] - central: https://repo.maven.apache.org/maven2 Downloading from redhat-ga-repository: http://maven.repository.redhat.com/ga/com/redhat/camel/springboot/platform/redhat-camel-spring-boot-patch-metadata/maven-metadata.xml Downloading from central: https://repo.maven.apache.org/maven2/com/redhat/camel/springboot/platform/redhat-camel-spring-boot-patch-metadata/maven-metadata.xml [INFO] [PATCH] Resolved patch descriptor: /path/to/.m2/repository/com/redhat/camel/springboot/platform/redhat-camel-spring-boot-patch-metadata/3.20.1.redhat-00043/redhat-camel-spring-boot-patch-metadata-3.20.1.redhat-00043.xml [INFO] [PATCH] Patch metadata found for com.redhat.camel.springboot.platform/camel-spring-boot-bom/[3.20,3.21) [INFO] [PATCH] Done in 938ms =================================================
patch-maven-plugin会尝试获取此 Maven 元数据。对于带有 Camel Spring Boot BOM 的项目,
com.redhat.camel.springboot.platform:redhat-camel-spring-boot-patch-metadata/maven-metadata.xml已解决。此 XML 数据是带有com.redhat.camel.springboot.platform:redhat-camel-spring-boot-patch-metadata:RELEASE协调的工件的元数据。Maven 生成的元数据示例
<?xml version="1.0" encoding="UTF-8"?> <metadata> <groupId>com.redhat.camel.springboot.platform</groupId> <artifactId>redhat-camel-spring-boot-patch-metadata</artifactId> <versioning> <release>3.20.1.redhat-00041</release> <versions> <version>3.20.1.redhat-00041</version> </versions> <lastUpdated>20230322103858</lastUpdated> </versioning> </metadata>
-
patch-maven-plugin解析元数据,以选择应用到当前项目的版本。此操作只能针对使用带有特定版本的 Spring Boot BOM 上的 Camel 进行 Maven 项目。只有与版本范围或之后匹配的元数据才适用,它只获取元数据的最新版本。 patch-maven-plugin收集远程 Maven 存储库列表,以下载由groupId、artifactId和版本标识的补丁元数据。这些 Maven 存储库列在活跃配置集的项目 <repositories> 元素中,以及settings.xml文件中的存储库。$ mvn clean install [INFO] Scanning for projects... [INFO] ========== Red Hat Maven patching ========== [INFO] [PATCH] Reading patch metadata and artifacts from 2 project repositories [INFO] [PATCH] - MRRC-GA: https://maven.repository.redhat.com/ga [INFO] [PATCH] - central: https://repo.maven.apache.org/maven2
元数据来自远程存储库、本地存储库还是 ZIP 文件,它由
patch-maven-plugin分析。获取的元数据包含 CVE 列表以及每个 CVE,我们有一个受影响的 Maven 工件列表(由 glob 模式和版本范围指定)以及包含给定 CVE 修复的版本。例如,<?xml version="1.0" encoding="UTF-8" ?> <<metadata xmlns="urn:redhat:patch-metadata:1"> <product-bom groupId="com.redhat.camel.springboot.platform" artifactId="camel-spring-boot-bom" versions="[3.20,3.21)" /> <cves> </cves> <fixes> <fix id="HF0-1" description="logback-classic (Example) - Version Bump"> <affects groupId="ch.qos.logback" artifactId="logback-classic" versions="[1.0,1.3.0)" fix="1.3.0" /> </fix> </fixes> </metadata>最后,当迭代当前项目中所有受管依赖项时,会参考补丁元数据中指定的修复列表。匹配的这些依赖项(和受管依赖项)被改为固定的版本。例如:
$ mvn dependency:tree [INFO] Scanning for projects... [INFO] ========== Red Hat Maven patching ========== [INFO] [PATCH] Reading patch metadata and artifacts from 3 project repositories [INFO] [PATCH] - redhat-ga-repository: http://maven.repository.redhat.com/ga/ [INFO] [PATCH] - local: file:///path/to/.m2/repository [INFO] [PATCH] - central: https://repo.maven.apache.org/maven2 [INFO] [PATCH] Resolved patch descriptor:/path/to/.m2/repository/com/redhat/camel/springboot/platform/redhat-camel-spring-boot-patch-metadata/3.20.1.redhat-00043/redhat-camel-spring-boot-patch-metadata-3.20.1.redhat-00043.xml [INFO] [PATCH] Patch metadata found for com.redhat.camel.springboot.platform/camel-spring-boot-bom/[3.20,3.21) [INFO] [PATCH] - patch contains 1 patch fix [INFO] [PATCH] Processing managed dependencies to apply patch fixes... [INFO] [PATCH] - HF0-1: logback-classic (Example) - Version Bump [INFO] [PATCH] Applying change ch.qos.logback/logback-classic/[1.0,1.3.0) -> 1.3.0 [INFO] [PATCH] Project com.test:yaml-routes [INFO] [PATCH] - managed dependency: ch.qos.logback/logback-classic/1.2.11 -> 1.3.0 [INFO] [PATCH] Done in 39ms =================================================
跳过补丁
如果您不想将特定的补丁应用到项目,patch-maven-plugin 会提供 skip 选项。假设已将 patch-maven-plugin 添加到项目的 pom.xml 文件中,并且您不想更改版本,您可以使用以下方法之一跳过补丁。
-
将 skip 选项添加到项目的
pom.xml文件中,如下所示:
<build>
<plugins>
<plugin>
<groupId>com.redhat.camel.springboot.platform</groupId>
<artifactId>patch-maven-plugin</artifactId>
<version>${camel-spring-boot-version}</version>
<extensions>true</extensions>
<configuration>
<skip>true</skip>
</configuration>
</plugin>
</plugins>
</build>-
或者,在运行
mvn命令时使用-DskipPatch选项,如下所示:
$ mvn clean install -DskipPatch [INFO] Scanning for projects... [INFO] [INFO] -------------------------< com.example:test-csb >------------------------- [INFO] Building A Camel Spring Boot Route 1.0-SNAPSHOT ...
如以上输出中显示,patch-maven-plugin 没有被调用,这会导致补丁没有被应用到应用程序。
