spark-3.5-scala-2.13/3.5.4-r0: cve remediation

[octo-sts]

spark-3.5-scala-2.13/3.5.4-r0: fix GHSA-rcjc-c4pj-xxrp/GHSA-8qv5-68g4-248j/GHSA-2jc4-r94c-rp7h/GHSA-j26w-f9rq-mr2q/GHSA-g8m5-722r-8whq/

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/spark-3.5-scala-2.13.advisories.yaml

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the build error, I'll provide a structured analysis and solution:

• Detected Error: "Could not resolve dependencies for project org.apache.spark:spark-core_2.13:jar:3.5.4: The following artifacts could not be resolved: org.eclipse.jetty:jetty-server:jar:9.4.56"

• Error Category: Dependency

• Failure Point: Maven dependency resolution for spark-core_2.13 module

• Root Cause Analysis:
The build is failing because it cannot find Jetty server version 9.4.56 in the Maven repository. This appears to be an incorrect version specification as Jetty 9.4.56 is not a valid release version.

• Suggested Fix:
Update the jetty dependencies in the pom.xml (we need to modify pombump-properties.yaml) to use the latest stable 9.4.x version:

# In pombump-properties.yaml
properties:
  jetty.version: 9.4.54.v20240208  # Update to latest stable 9.4.x version

• Explanation:

• Jetty 9.4.56 doesn't exist in Maven Central
• Version 9.4.54.v20240208 is the latest stable release in the 9.4.x series
• This aligns with Spark's compatibility requirements
• The fix ensures all Jetty components are on the same version

• Additional Notes:

• Make sure both jetty-server and jetty-servlets use the same version
• Consider adding version management in properties section
• Test locally before pushing changes
• This maintains compatibility with existing Spark 3.5.x dependencies

• References:

• Jetty releases: https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-server/
• Spark compatibility matrix: https://spark.apache.org/docs/3.5.4/
• Maven dependency management: https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html

[mamccorm]

GHSA-j26w-f9rq-mr2q

• has pending-upstream-fix: https://github.com/wolfi-dev/advisories/blob/1f83928cd69a279dee53816feb1676284cabad0c/spark-3.5-scala-2.13.advisories.yaml#L678

GHSA-g8m5-722r-8whq

• has pending-upstream-fix: https://github.com/wolfi-dev/advisories/blob/1f83928cd69a279dee53816feb1676284cabad0c/spark-3.5-scala-2.13.advisories.yaml#L909

Outstanding:
GHSA-rcjc-c4pj-xxrp

• detected, no advisory: https://github.com/wolfi-dev/advisories/blob/1f83928cd69a279dee53816feb1676284cabad0c/spark-3.5-scala-2.13.advisories.yaml#L584

GHSA-8qv5-68g4-248j

• detected, no advisory: https://github.com/wolfi-dev/advisories/blob/1f83928cd69a279dee53816feb1676284cabad0c/spark-3.5-scala-2.13.advisories.yaml#L350

GHSA-2jc4-r94c-rp7h

• detected, no advisory: https://github.com/wolfi-dev/advisories/blob/1f83928cd69a279dee53816feb1676284cabad0c/spark-3.5-scala-2.13.advisories.yaml#L150

[mamccorm]

I removed the attempted pombumps for jetty, as advisories were required for them (see last comment)

[jamie-albert]

#39819

[mamccorm]

This should be resolved by the work done in this PR:

• spark-3.5-scala-2.13/GHSA-8qv5-68g4-248j/GHSA-2jc4-r94c-rp7h-fix #39819