From 3681a52ade7b935ac5c07b6f38503c35966167ff Mon Sep 17 00:00:00 2001 From: Debasish Biswas Date: Wed, 25 Dec 2024 14:23:16 +0530 Subject: [PATCH 1/2] Adv(Pending-upstream): advisory has been coppied from https://github.com/wolfi-dev/advisories/pull/9165 this is a renamed package so all the advisory should be same Signed-off-by: Debasish Biswas --- neo4j-5.26.advisories.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/neo4j-5.26.advisories.yaml b/neo4j-5.26.advisories.yaml index 66a3cbe137..24fb1486f2 100644 --- a/neo4j-5.26.advisories.yaml +++ b/neo4j-5.26.advisories.yaml @@ -21,3 +21,12 @@ advisories: componentType: java-archive componentLocation: /usr/share/java/neo4j/lib/jetty-http-10.0.24.jar scanner: grype + - timestamp: 2024-12-25T08:50:22Z + type: pending-upstream-fix + data: + note: | + This vulnerability relates to the 'jetty-http' dependency, which is fixed in v12.0.12 and later. + Unfortunately, we are not able to remediate this CVE, as bumping this dependency version results in build failures. + Specifically, there are version conflicts between the various jetty dependencies. Attempting to bump the related dependencies to the same version, results in different build issues. + Another component: 'jetty-servlet', has also been relocated to a new location in maven central: https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-servlet. This requires additional code changes. + All attempts were made to chain up the required changes, but to no avail. Pending fix from upstream. From 4a20f0174ae486b70c221e2395fccc83b18ebca3 Mon Sep 17 00:00:00 2001 From: Debasish Biswas Date: Wed, 25 Dec 2024 15:07:49 +0530 Subject: [PATCH 2/2] Yam lint Signed-off-by: Debasish Biswas --- neo4j-5.26.advisories.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/neo4j-5.26.advisories.yaml b/neo4j-5.26.advisories.yaml index 24fb1486f2..a0acb7c9a1 100644 --- a/neo4j-5.26.advisories.yaml +++ b/neo4j-5.26.advisories.yaml @@ -21,12 +21,12 @@ advisories: componentType: java-archive componentLocation: /usr/share/java/neo4j/lib/jetty-http-10.0.24.jar scanner: grype - - timestamp: 2024-12-25T08:50:22Z - type: pending-upstream-fix - data: - note: | - This vulnerability relates to the 'jetty-http' dependency, which is fixed in v12.0.12 and later. - Unfortunately, we are not able to remediate this CVE, as bumping this dependency version results in build failures. - Specifically, there are version conflicts between the various jetty dependencies. Attempting to bump the related dependencies to the same version, results in different build issues. - Another component: 'jetty-servlet', has also been relocated to a new location in maven central: https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-servlet. This requires additional code changes. - All attempts were made to chain up the required changes, but to no avail. Pending fix from upstream. + - timestamp: 2024-12-25T08:50:22Z + type: pending-upstream-fix + data: + note: | + This vulnerability relates to the 'jetty-http' dependency, which is fixed in v12.0.12 and later. + Unfortunately, we are not able to remediate this CVE, as bumping this dependency version results in build failures. + Specifically, there are version conflicts between the various jetty dependencies. Attempting to bump the related dependencies to the same version, results in different build issues. + Another component: 'jetty-servlet', has also been relocated to a new location in maven central: https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-servlet. This requires additional code changes. + All attempts were made to chain up the required changes, but to no avail. Pending fix from upstream.