From 3ae4347b77569ec0accf2ec4ec295c89b4ee8429 Mon Sep 17 00:00:00 2001
From: hectorj2f <hector@chainguard.dev>
Date: Fri, 31 May 2024 01:04:26 +0200
Subject: [PATCH] opensearch-2: advisory entry for bouncycastle CVEs

Signed-off-by: hectorj2f <hector@chainguard.dev>
---
 opensearch-2.advisories.yaml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/opensearch-2.advisories.yaml b/opensearch-2.advisories.yaml
index b8dc4315bf..0ae8c263be 100644
--- a/opensearch-2.advisories.yaml
+++ b/opensearch-2.advisories.yaml
@@ -162,6 +162,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/opensearch/lib/tools/plugin-cli/bc-fips-1.0.2.4.jar
             scanner: grype
+      - timestamp: 2024-05-30T23:00:31Z
+        type: pending-upstream-fix
+        data:
+          note: The subpackage opensearch-performance-analyzer compilation hardcodes the cloning a specific branch of opensearch-performance-analyzer-rca repository with the vulnerable libraries. This requires upstream changes to opensearch-performance-analyzer-rca repository.
 
   - id: CGA-35r6-m6p6-xc93
     aliases:
@@ -180,6 +184,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/opensearch/plugins/opensearch-identity-shiro/bcprov-jdk18on-1.77.jar
             scanner: grype
+      - timestamp: 2024-05-30T23:00:31Z
+        type: pending-upstream-fix
+        data:
+          note: The subpackage opensearch-performance-analyzer compilation hardcodes the cloning a specific branch of opensearch-performance-analyzer-rca repository with the vulnerable libraries. This requires upstream changes to opensearch-performance-analyzer-rca repository.
 
   - id: CGA-h94h-f38q-chh8
     aliases:
@@ -198,6 +206,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/opensearch/plugins/opensearch-identity-shiro/bcprov-jdk18on-1.77.jar
             scanner: grype
+      - timestamp: 2024-05-30T23:00:31Z
+        type: pending-upstream-fix
+        data:
+          note: The subpackage opensearch-performance-analyzer compilation hardcodes the cloning a specific branch of opensearch-performance-analyzer-rca repository with the vulnerable libraries. This requires upstream changes to opensearch-performance-analyzer-rca repository.
 
   - id: CGA-2wgv-29fq-xg2j
     aliases:
@@ -216,3 +228,8 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/opensearch/plugins/opensearch-identity-shiro/bcprov-jdk18on-1.77.jar
             scanner: grype
+      - timestamp: 2024-05-30T23:00:31Z
+        type: pending-upstream-fix
+        data:
+          note: The subpackage opensearch-performance-analyzer compilation hardcodes the cloning a specific branch of opensearch-performance-analyzer-rca repository with the vulnerable libraries. This requires upstream changes to opensearch-performance-analyzer-rca repository.
+