From 1207e992fdd78a3a16fc98d6356f3c0c203799c1 Mon Sep 17 00:00:00 2001
From: Peter Streef <p.streef@gmail.com>
Date: Fri, 19 Jul 2024 14:07:55 +0200
Subject: [PATCH] fix: Updating docs to explain vulnerabilities (#553)

* Update README.md

* update path

* never executed only twice.
---
 README.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/README.md b/README.md
index 532b59cdb..bebc79541 100644
--- a/README.md
+++ b/README.md
@@ -24,6 +24,16 @@ See the full documentation at [docs.openrewrite.org](https://docs.openrewrite.or
 3. Commit & push changes.
 4. Repeat periodically as new minor versions of Spring Boot are released.
 
+## Why do artifact scanners detect vulnerabilities in recipe artifacts/JARs?
+
+In order to modernize and upgrade old or vulnerable code, some OpenRewrite recipe modules bundle copies of old libraries. Libraries bundled into recipe modules are never executed.
+
+OpenRewrite exercises the Java compiler internally to compile code patterns that exist in these old and/or vulnerable libraries. These patterns are then used to match old or vulnerable code for the sake of modernizing or repairing it.
+
+Using a library in compilation in this way does not trigger class initialization in the way that reflection might, for example. In other words, code paths in libraries used in compilation are never executed, and thus the vulnerability is not exploitable.
+
+The jar has libraries bundled inside of the [META-INF/rewrite/classpath directory](https://github.com/openrewrite/rewrite-spring/tree/main/src/main/resources/META-INF/rewrite/classpath). However, those JARs are not made into a Fat Jar or a shaded library in the traditional sense. It is not possible that by using rewrite-spring that one of those libraries gets called.
+
 ## Contributing
 
 We appreciate all types of contributions. See the [contributing guide](https://github.com/openrewrite/.github/blob/main/CONTRIBUTING.md) for detailed instructions on how to get started.