opensearch-2: advisory entry for bouncycastle CVEs (#5099)

Signed-off-by: hectorj2f <hector@chainguard.dev>
wolfi-dev · May 30, 2024 · 52c4fbb · 52c4fbb
1 parent d5728a0
commit 52c4fbb
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/opensearch-2.advisories.yaml b/opensearch-2.advisories.yaml
@@ -162,6 +162,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/opensearch/lib/tools/plugin-cli/bc-fips-1.0.2.4.jar
             scanner: grype
+      - timestamp: 2024-05-30T23:00:31Z
+        type: pending-upstream-fix
+        data:
+          note: The subpackage opensearch-performance-analyzer compilation hardcodes the cloning a specific branch of opensearch-performance-analyzer-rca repository with the vulnerable libraries. This requires upstream changes to opensearch-performance-analyzer-rca repository.
 
   - id: CGA-35r6-m6p6-xc93
     aliases:
@@ -180,6 +184,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/opensearch/plugins/opensearch-identity-shiro/bcprov-jdk18on-1.77.jar
             scanner: grype
+      - timestamp: 2024-05-30T23:00:31Z
+        type: pending-upstream-fix
+        data:
+          note: The subpackage opensearch-performance-analyzer compilation hardcodes the cloning a specific branch of opensearch-performance-analyzer-rca repository with the vulnerable libraries. This requires upstream changes to opensearch-performance-analyzer-rca repository.
 
   - id: CGA-h94h-f38q-chh8
     aliases:
@@ -198,6 +206,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/opensearch/plugins/opensearch-identity-shiro/bcprov-jdk18on-1.77.jar
             scanner: grype
+      - timestamp: 2024-05-30T23:00:31Z
+        type: pending-upstream-fix
+        data:
+          note: The subpackage opensearch-performance-analyzer compilation hardcodes the cloning a specific branch of opensearch-performance-analyzer-rca repository with the vulnerable libraries. This requires upstream changes to opensearch-performance-analyzer-rca repository.
 
   - id: CGA-2wgv-29fq-xg2j
     aliases:
@@ -216,3 +228,7 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/opensearch/plugins/opensearch-identity-shiro/bcprov-jdk18on-1.77.jar
             scanner: grype
+      - timestamp: 2024-05-30T23:00:31Z
+        type: pending-upstream-fix
+        data:
+          note: The subpackage opensearch-performance-analyzer compilation hardcodes the cloning a specific branch of opensearch-performance-analyzer-rca repository with the vulnerable libraries. This requires upstream changes to opensearch-performance-analyzer-rca repository.