Raising as separate issue as one of these is mentioned appearing in 2.x under #688
2 CVEs are appearing in the version of jetty being used in the skills plugin:
2024-13009 is marked as resolved in #599 - however by only excluding jetty-server security scans are still flagging this cve under jetty-io which is still present.
The Jetty libraries look to be brought in via spark-core, which the skills plugin is currently using version: 'spark-core_2.13:3.5.4'.
Version 3.5.7 of spark looks to bump Jetty to the vulnerability free version in this commit, and as such upgrading spark libraries would seem to resolve these CVEs.
Raising as separate issue as one of these is mentioned appearing in 2.x under #688
2 CVEs are appearing in the version of jetty being used in the skills plugin:
2024-13009 is marked as resolved in #599 - however by only excluding jetty-server security scans are still flagging this cve under jetty-io which is still present.
The Jetty libraries look to be brought in via spark-core, which the skills plugin is currently using version: 'spark-core_2.13:3.5.4'.
Version 3.5.7 of spark looks to bump Jetty to the vulnerability free version in this commit, and as such upgrading spark libraries would seem to resolve these CVEs.