From 1283eee66e52013c454ce058f39d093d536e3802 Mon Sep 17 00:00:00 2001
From: jamie-albert <jamie.albert@chainguard.dev>
Date: Fri, 17 Jan 2025 06:34:31 -0800
Subject: [PATCH] spark derby and jackson-mapper-asl advisory updates (#11298)

---
 spark-3.5-scala-2.13.advisories.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/spark-3.5-scala-2.13.advisories.yaml b/spark-3.5-scala-2.13.advisories.yaml
index 809052298..3dd733bb0 100644
--- a/spark-3.5-scala-2.13.advisories.yaml
+++ b/spark-3.5-scala-2.13.advisories.yaml
@@ -299,6 +299,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/lib/python3.13/site-packages/pyspark/jars/jackson-mapper-asl-1.9.13.jar
             scanner: grype
+      - timestamp: 2025-01-17T11:23:37Z
+        type: pending-upstream-fix
+        data:
+          note: This relates to jackson-mapper-asl, which is no longer maintained. Apache Spark has taken actions to remove their own dependency on the library, however a transitive dependency (ranger), still requires it. Waiting for upstream https://issues.apache.org/jira/browse/NIFI-11659.
 
   - id: CGA-95rq-pqfg-9383
     aliases:
@@ -555,6 +559,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/lib/python3.13/site-packages/pyspark/jars/jackson-mapper-asl-1.9.13.jar
             scanner: grype
+      - timestamp: 2025-01-17T11:21:23Z
+        type: pending-upstream-fix
+        data:
+          note: This relates to jackson-mapper-asl, which is no longer maintained. Apache Spark has taken actions to remove their own dependency on the library, however a transitive dependency (ranger), still requires it. Waiting for upstream https://issues.apache.org/jira/browse/NIFI-11659.
 
   - id: CGA-g9g9-hh8j-v9h4
     aliases:
@@ -595,6 +603,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/lib/python3.13/site-packages/pyspark/jars/derby-10.14.2.0.jar
             scanner: grype
+      - timestamp: 2025-01-16T18:08:57Z
+        type: pending-upstream-fix
+        data:
+          note: This relates to 'derby'. Various fixes where committed to main branch in Dec 2023 but we are waiting for a release to be created with these changes. https://github.com/apache/spark/pull/44174
 
   - id: CGA-hcx6-4xcx-96pr
     aliases: