Jeff Lu
Jeff Lu
Hi, @salyh, @gaiksaya, @bbarani, just want to follow up if we can close this issue, and use https://github.com/opensearch-project/opensearch-build/issues/58 to track further, thanks.
once we upgrade to the latest Jenkins version, this CVE may be addressed
We are looking for any possible ways to resolve this CVE without the need of adding more independent dependencies in build.gradle.
once we upgrade to the latest Jenkins version, this CVE may be addressed
once we upgrade to the latest Jenkins , this CVE may be addressed
Maybe we can add `cfInvalidate(distribution:'someDistributionId', paths:['/*'], waitForCompletion: true)` after this line https://github.com/opensearch-project/opensearch-build-libraries/blob/2.0.2/vars/promoteRepos.groovy#L213 We will need to do AWS CLI to retrieve the CloudFront Distribution Id first, maybe something like this...
the next step is to assign a release manager; the 1.3.17 release window will open on [May 28th, 2024](https://opensearch.org/releases.html).
once we upgrade to the latest Jenkins , this CVE may be addressed
this CVE could be fixed by furture Jenkins core upgrade
The package affected by this CVE could be a cached dependency to others. currently unable to address the issue like this .,may need the support from the Mend/WhiteSource