trino/467-r0: cve remediation

[octo-sts]

trino/467-r0: fix CVE-2024-34158/GHSA-pr98-23f8-jwxv/

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/trino.advisories.yaml

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

[ERROR] Failed to execute goal on project trino-plugin-toolkit: Could not resolve dependencies for project io.trino:trino-plugin-toolkit:jar:467
[ERROR] dependency: ch.qos.logback:logback-core:jar:1.15.13 (import)
[ERROR] Could not find artifact ch.qos.logback:logback-core:jar:1.15.13 in central

• Error Category: Dependency

• Failure Point: Maven dependency resolution during package build

• Root Cause Analysis: The pombump tool is trying to upgrade logback-core to version 1.15.13, which doesn't exist. The current latest version of logback-core is 1.4.14.

• Suggested Fix: Modify the pombump version constraint in the pipeline:

1. Add a version constraint override in the uses: maven/pombump step:

  - uses: maven/pombump
    with:
      version-constraints:
        - "ch.qos.logback:logback-core:1.4.14"

• Explanation: The pombump tool is attempting to use a non-existent version (1.15.13) of logback-core. By explicitly setting the version to the latest stable release (1.4.14), the dependency resolution should succeed.

• Additional Notes:

• Logback versioning follows semantic versioning
• Version 1.4.x is the current stable release line
• The attempted version 1.15.13 appears to be an invalid version number

• References:

• Logback releases: https://logback.qos.ch/download.html
• Maven Central for logback-core: https://mvnrepository.com/artifact/ch.qos.logback/logback-core
• Wolfi OS pombump documentation: https://github.com/wolfi-dev/pombump

[mamccorm]

Closing as there is a newer version (dup) of this update, which includes both the CVEs

• trino/467-r0: cve remediation #38296