trino/467-r0: cve remediation

[octo-sts]

trino/467-r0: fix GHSA-pr98-23f8-jwxv/CVE-2024-34158/GHSA-f686-hw9c-xw9c/

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/trino.advisories.yaml

[octo-sts]

⚠️ EXPERIMENTAL

Please use 👍 or 👎 on this comment to indicate if you agree or disagree with the recommendation.

To provide more detailed feedback please comment on the recommendation prefixed with /ai-verify:

e.g. /ai-verify partially helpful but I also added bash to the build environment

Gen AI suggestions to solve the build error:

• Detected Error:

[ERROR] Failed to read artifact descriptor for io.airlift:testing:jar:293
[ERROR] Caused by: The following artifacts could not be resolved: io.airlift:testing:pom:293 (absent): Could not transfer artifact io.airlift:testing:pom:293 from/to central (https://repo.maven.apache.org/maven2): Connect to repo.maven.apache.org:443 failed: Connect timed out

• Error Category: Dependency/Network

• Failure Point: Maven dependency resolution during the build step

• Root Cause Analysis: Maven is unable to download required dependencies from Maven Central due to network connectivity issues or timeouts

• Suggested Fix:

1. Add Maven repository mirrors to the build configuration:

pipeline:
  - runs: |
      mkdir -p /root/.m2
      cat << EOF > /root/.m2/settings.xml
      <settings>
        <mirrors>
          <mirror>
            <id>google-maven-central</id>
            <name>Google Maven Central</name>
            <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
            <mirrorOf>central</mirrorOf>
          </mirror>
        </mirrors>
      </settings>
      EOF

2. Add this before the Maven build command

• Explanation: The build is failing because it cannot reach Maven Central reliably. Adding Google's Maven Central mirror provides a more reliable alternative that should resolve the connection timeout issues.

• Additional Notes:

• The error shows multiple dependency resolution failures, all stemming from network connectivity issues
• Using an alternative mirror can help bypass potential network restrictions or reliability issues
• Google's Maven Central mirror is generally more reliable and has better global connectivity

• References:

• Maven Repository Mirror Configuration: https://maven.apache.org/guides/mini/guide-mirror-settings.html
• Google Maven Central Mirror: https://maven-central.storage.googleapis.com/maven2/

[mamccorm]

These have advisory entries:

• https://github.com/wolfi-dev/advisories/blob/main/trino.advisories.yaml

Specifically:

• GHSA-j7vj-rw65-4v26 - has pending-upstream-fix filed
• GHSA-pr98-23f8-jwxv - has fixed event recorded
• GHSA-f686-hw9c-xw9c - had fixed event recorded, then a detection was opened again?

More details on GHSA-f686-hw9c-xw9c issue (above). Fixed event recorded on 2024-11-06:

• wolfi-dev/advisories@fff2d87

New detected event on 2024-11-15:

• wolfi-dev/advisories@36fa14c

Performed a scan of the same package, and it does not return any findings for: GHSA-f686-hw9c-xw9c? And I don't see any remediation tickets opened.

I'm going to close this, and if automation re-opens we'll dig in deeper