chore(tez): update advisories on transitive dependencies (#8495)

Signed-off-by: Massimiliano Giovagnoli <[email protected]>
wolfi-dev · Sep 29, 2024 · c0944b1 · c0944b1
1 parent 86f62e5
commit c0944b1
Showing 1 changed file with 68 additions and 0 deletions.
diff --git a/tez.advisories.yaml b/tez.advisories.yaml
@@ -21,6 +21,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/java/tez/lib/commons-compress-1.24.0.jar
             scanner: grype
+      - timestamp: 2024-09-27T15:57:51Z
+        type: pending-upstream-fix
+        data:
+          note: The commons-compress transitive dependency must be bumped to 1.26.0 in the upstream project Hadoop.
 
   - id: CGA-2v7f-j393-2r48
     aliases:
@@ -39,6 +43,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/java/tez/lib/jackson-mapper-asl-1.9.2.jar
             scanner: grype
+      - timestamp: 2024-09-27T16:13:19Z
+        type: pending-upstream-fix
+        data:
+          note: The jackson-mapper-asl transitive dependency must be bumped in the upstream projects Jersey, Avro, but there's no fix available yet.
 
   - id: CGA-2w4w-28wc-pp53
     aliases:
@@ -57,6 +65,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/java/tez/lib/bcprov-jdk15on-1.70.jar
             scanner: grype
+      - timestamp: 2024-09-27T15:55:02Z
+        type: pending-upstream-fix
+        data:
+          note: The bcprov-jdk15on transitive dependency must be bumped to 1.78 in the upstream project Hadoop.
 
   - id: CGA-459v-8fm2-rw72
     aliases:
@@ -75,6 +87,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/java/tez/lib/nimbus-jose-jwt-9.31.jar
             scanner: grype
+      - timestamp: 2024-09-27T16:21:12Z
+        type: pending-upstream-fix
+        data:
+          note: The nimbus-jose-jwt transitive dependency must be bumped to 9.37.2 in the upstream project Hadoop.
 
   - id: CGA-7pfp-wfcr-cm2m
     aliases:
@@ -93,6 +109,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/java/tez/lib/jackson-mapper-asl-1.9.2.jar
             scanner: grype
+      - timestamp: 2024-09-27T16:17:51Z
+        type: pending-upstream-fix
+        data:
+          note: The jackson-mapper-asl transitive dependency must be bumped in the upstream projects Jersey, Avro, but there's no fix available yet.
 
   - id: CGA-7wc9-mhwq-jwvr
     aliases:
@@ -111,6 +131,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/java/tez/lib/netty-codec-http-4.1.100.Final.jar
             scanner: grype
+      - timestamp: 2024-09-27T16:18:22Z
+        type: pending-upstream-fix
+        data:
+          note: The netty-codec-http transitive dependency must be bumped to 4.1.108.Final in the upstream project Hadoop.
 
   - id: CGA-8phm-9pxh-w42w
     aliases:
@@ -129,6 +153,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/java/tez/lib/bcprov-jdk15on-1.70.jar
             scanner: grype
+      - timestamp: 2024-09-27T15:57:22Z
+        type: pending-upstream-fix
+        data:
+          note: The bcprov-jdk15on transitive dependency must be bumped to 1.78 in the upstream project Hadoop.
 
   - id: CGA-9rcg-3q2w-p724
     aliases:
@@ -147,6 +175,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/java/tez/lib/commons-configuration2-2.8.0.jar
             scanner: grype
+      - timestamp: 2024-09-27T16:02:54Z
+        type: pending-upstream-fix
+        data:
+          note: The commons-configuration2 transitive dependency must be bumped to 2.10.1 in the upstream project Hadoop.
 
   - id: CGA-cvgr-qwcg-f7ww
     aliases:
@@ -165,6 +197,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/java/tez/lib/bcprov-jdk15on-1.70.jar
             scanner: grype
+      - timestamp: 2024-09-27T15:51:58Z
+        type: pending-upstream-fix
+        data:
+          note: The bcprov-jdk15on transitive dependency must be bumped in the upstream project Hadoop, but there's no fix available yet.
 
   - id: CGA-cxfp-ggmh-c85x
     aliases:
@@ -183,6 +219,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/java/tez/lib/logback-classic-1.2.10.jar
             scanner: grype
+      - timestamp: 2024-09-29T15:49:22Z
+        type: pending-upstream-fix
+        data:
+          note: The logback-classic transitive dependency must be bumped in the upstream project Hadoop via org.apache.commons-logging.
 
   - id: CGA-f432-w5m5-3jvg
     aliases:
@@ -201,6 +241,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/java/tez/lib/bcprov-jdk15on-1.70.jar
             scanner: grype
+      - timestamp: 2024-09-27T15:49:22Z
+        type: pending-upstream-fix
+        data:
+          note: The bcprov-jdk15on transitive dependency must be bumped to 1.78 in the upstream project Hadoop.
 
   - id: CGA-fwfm-h859-76rr
     aliases:
@@ -219,6 +263,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/java/tez/lib/commons-configuration2-2.8.0.jar
             scanner: grype
+      - timestamp: 2024-09-27T16:04:57Z
+        type: pending-upstream-fix
+        data:
+          note: The commons-configuration2 transitive dependency must be bumped to 2.10.1 in the upstream project Hadoop.
 
   - id: CGA-h224-hgr7-998g
     aliases:
@@ -237,6 +285,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/java/tez/lib/hadoop-shaded-protobuf_3_21-1.2.0.jar
             scanner: grype
+      - timestamp: 2024-09-27T16:09:18Z
+        type: pending-upstream-fix
+        data:
+          note: The protobuf-java transitive dependency shaded in JAR must be bumped to 3.25.5 in the upstream project Hadoop.
 
   - id: CGA-h38x-7w53-r6jq
     aliases:
@@ -255,6 +307,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/java/tez/lib/commons-compress-1.24.0.jar
             scanner: grype
+      - timestamp: 2024-09-27T15:59:38Z
+        type: pending-upstream-fix
+        data:
+          note: The commons-compress transitive dependency must be bumped to 1.26.0 in the upstream project Hadoop.
 
   - id: CGA-jw9q-fj9p-mwgr
     aliases:
@@ -273,6 +329,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/java/tez/lib/zookeeper-3.8.3.jar
             scanner: grype
+      - timestamp: 2024-09-27T16:22:26Z
+        type: pending-upstream-fix
+        data:
+          note: The zookeeper transitive dependency must be bumped to 3.8.4 in the upstream project Hadoop.
 
   - id: CGA-x2r8-2m8h-66gj
     aliases:
@@ -291,6 +351,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/java/tez/lib/avro-1.9.2.jar
             scanner: grype
+      - timestamp: 2024-09-27T15:41:42Z
+        type: pending-upstream-fix
+        data:
+          note: The Avro transitive dependency project must be bumped to 1.11.3 in the upstream Hadoop.
 
   - id: CGA-x6hg-7m8w-2fvw
     aliases:
@@ -309,3 +373,7 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/java/tez/lib/dnsjava-3.4.0.jar
             scanner: grype
+      - timestamp: 2024-09-27T16:06:37Z
+        type: pending-upstream-fix
+        data:
+          note: The dnsjava transitive dependency must be bumped to 3.6.0 in the upstream project Hadoop.