tez/0.10.4-r1: cve remediation

[octo-sts]

tez/0.10.4-r1: fix GHSA-mfj5-cf8g-g2fv/GHSA-pr98-23f8-jwxv/

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/tez.advisories.yaml

[debasishbsws]

GHSA-mfj5-cf8g-g2fv is still present in the scan

[mamccorm]

Advisory for: GHSA-mfj5-cf8g-g2fv

• pending-upstream-fix advisory for tez package: GHSA-mfj5-cf8g-g2fv advisories#11305

And also for GHSA-pr98-23f8-jwxv

• pending-upstream-fix advisory for tez: GHSA-pr98-23f8-jwxv advisories#11306

[octo-sts]

⚠️ EXPERIMENTAL

Please use 👍 or 👎 on this comment to indicate if you agree or disagree with the recommendation.

To provide more detailed feedback please comment on the recommendation prefixed with /ai-verify:

e.g. /ai-verify partially helpful but I also added bash to the build environment

Gen AI suggestions to solve the build error:

Based on the Maven build log you've provided, I'll analyze the error and provide a solution:

• Detected Error: Connection timeout/failure when trying to download from Apache snapshots repository while attempting to fetch snappy-java-1.1.10.4.pom

• Error Category: Dependency/Repository

• Failure Point: Maven dependency resolution during build, specifically when trying to download snappy-java artifact

• Root Cause Analysis: The build is attempting to use both the Apache snapshots repository and Maven Central, but appears to be timing out or failing to connect to the Apache snapshots repository

• Suggested Fix:
Add repository configuration to exclude/remove Apache snapshots repository in the Melange YAML:

  - uses: maven/pombump
    with:
      patch-file: patches.yaml
      settings: |
        <settings>
          <mirrors>
            <mirror>
              <id>central-mirror</id>
              <url>https://repo.maven.apache.org/maven2</url>
              <mirrorOf>*</mirrorOf>
            </mirror>
          </mirrors>
        </settings>

• Explanation: This configuration will force Maven to use Maven Central repository exclusively, bypassing the problematic Apache snapshots repository attempts. Since all the required dependencies are available in Maven Central (as shown by the successful downloads in the log), this won't impact dependency resolution while avoiding the connection issues.

• Additional Notes:

• The build log shows successful downloads from Maven Central for other dependencies
• The snappy-java artifact is available in Maven Central
• This approach is more reliable than waiting for timeouts to Apache snapshots
• No functionality will be lost as all required artifacts are in Maven Central

• References:

• Maven Repository Configuration: https://maven.apache.org/guides/mini/guide-mirror-settings.html
• Maven Settings Reference: https://maven.apache.org/settings.html

[mamccorm]

Advisory for: GHSA-mfj5-cf8g-g2fv

• pending-upstream-fix advisory for tez package: GHSA-mfj5-cf8g-g2fv advisories#11305

And also for GHSA-pr98-23f8-jwxv

• pending-upstream-fix advisory for tez: GHSA-pr98-23f8-jwxv advisories#11306