spark-3.5-scala-2.13/3.5.4-r0: cve remediation

[octo-sts]

spark-3.5-scala-2.13/3.5.4-r0: fix GHSA-rcjc-c4pj-xxrp/GHSA-8qv5-68g4-248j/GHSA-2jc4-r94c-rp7h/GHSA-j26w-f9rq-mr2q/GHSA-g8m5-722r-8whq/

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/spark-3.5-scala-2.13.advisories.yaml

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the build error, I'll provide a structured analysis and solution:

• Detected Error: "Could not resolve dependencies for project org.apache.spark:spark-core_2.13:jar:3.5.4: The following artifacts could not be resolved: org.eclipse.jetty:jetty-server:jar:9.4.56"

• Error Category: Dependency

• Failure Point: Maven dependency resolution for spark-core_2.13 module

• Root Cause Analysis:
The build is failing because it cannot find Jetty server version 9.4.56 in the Maven repository. This appears to be an incorrect version specification as Jetty 9.4.56 is not a valid release version.

• Suggested Fix:
Update the jetty dependencies in the pom.xml (we need to modify pombump-properties.yaml) to use the latest stable 9.4.x version:

# In pombump-properties.yaml
properties:
  jetty.version: 9.4.54.v20240208  # Update to latest stable 9.4.x version

• Explanation:

• Jetty 9.4.56 doesn't exist in Maven Central
• Version 9.4.54.v20240208 is the latest stable release in the 9.4.x series
• This aligns with Spark's compatibility requirements
• The fix ensures all Jetty components are on the same version

• Additional Notes:

• Make sure both jetty-server and jetty-servlets use the same version
• Consider adding version management in properties section
• Test locally before pushing changes
• This maintains compatibility with existing Spark 3.5.x dependencies

• References:

• Jetty releases: https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-server/
• Spark compatibility matrix: https://spark.apache.org/docs/3.5.4/
• Maven dependency management: https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html