Skip to content

tez/0.10.4-r7: cve remediation #52973

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kwmonroe merged 2 commits into from
May 13, 2025
Merged

tez/0.10.4-r7: cve remediation #52973

kwmonroe merged 2 commits into from
May 13, 2025

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented May 9, 2025

tez/0.10.4-r7: fix GHSA-4g8c-wm8x-jfhw

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/tez.advisories.yaml

"Breadcrumbs" for this automated service

@octo-sts octo-sts bot added automated pr GHSA-4g8c-wm8x-jfhw maven/pombump request-cve-remediation bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. auto-approver-bot/initial-checks-failed labels May 9, 2025
@kbsteere kbsteere self-assigned this May 12, 2025
@kbsteere kbsteere force-pushed the cve-tez-0.10.4-r7-aae6647fcfc8585ec1f565eb1891bc20 branch from 9d44e24 to 5d86c84 Compare May 13, 2025 20:36
@octo-sts
Copy link
Contributor Author

octo-sts bot commented May 13, 2025

📦 Build Failed: Missing Dependency

package io.netty.handler.ssl does not exist

Build Details

Category Details
Build System Maven
Failure Point maven-compiler-plugin:3.8.1:compile (default-compile) on project tez-runtime-library

Root Cause Analysis 🔍

The build is missing required Netty SSL dependencies. The code in SSLFactory.java is trying to use classes from io.netty.handler.ssl package (JdkSslContext, SupportedCipherSuiteFilter), but these classes are not available on the classpath.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: pombump-deps.yaml

  • create
    Content:
patches:
  - groupId: io.netty
    artifactId: netty-handler
    version: 4.1.118.Final
  - groupId: io.netty
    artifactId: netty-transport-native-epoll
    version: 4.1.118.Final
  - groupId: io.netty
    artifactId: netty-codec-http
    version: 4.1.118.Final

File: pombump-properties.yaml

  • create
    Content:
properties:
  - property: netty.version
    value: 4.1.118.Final
Click to expand fix analysis

Analysis

Looking at the similar fixed build failures, the common pattern is missing Netty SSL dependencies, particularly from the io.netty.handler.ssl package. Each fix addressed this by either:

  1. Updating the Netty version to a compatible release (4.1.118.Final in two examples)
  2. Adding the missing Netty dependencies explicitly in pombump configuration
  3. Using properties files rather than direct dependency patches for better dependency resolution

The current error shows the same pattern - the build is missing required Netty SSL classes (particularly JdkSslContext and SupportedCipherSuiteFilter from io.netty.handler.ssl) which need to be added to the classpath.

Click to expand fix explanation

Explanation

The suggested changes address the root cause of the build failure by explicitly adding the necessary Netty dependencies to the build.

The current failure occurs because the code in SSLFactory.java is trying to use classes from io.netty.handler.ssl package (specifically JdkSslContext and SupportedCipherSuiteFilter), but these classes are not available on the classpath. The netty-handler artifact contains the SSL handler classes that are missing.

I'm recommending Netty version 4.1.118.Final based on the successful fixes in two of the similar examples. This version is recent and stable, which aligns with Wolfi's principle of keeping packages up to date.

The solution adds three key Netty dependencies:

  1. netty-handler - Contains the SSL handler classes directly referenced in the error
  2. netty-transport-native-epoll - Often required alongside netty-handler for proper SSL functionality
  3. netty-codec-http - Provides HTTP protocol support which is often used with Netty SSL

Additionally, I'm creating a properties file to set the netty.version property which helps ensure consistent versions across transitive dependencies. This approach was successful in fix examples #2 and #3 and helps prevent version conflicts.

This approach should resolve the compilation error by providing the missing classes while maintaining compatibility with the existing build system.

Click to expand alternative approaches

Alternative Approaches

  • Use just the properties file approach (without explicit dependencies) like in fix example Add pax-utils into the OS. #2, relying on the project's internal dependency management to pull in the correct versions
  • Add only the netty-handler dependency which contains the specific missing classes, though this risks further dependency issues with related Netty components
  • Add explicit dependencies on netty-handler-ssl and netty-handler-ssl-ocsp directly if the project specifically needs those components
  • Use a more comprehensive approach by updating other related dependencies beyond just Netty to ensure full compatibility

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label May 13, 2025
@kbsteere
fixed build errors and changed patch-file
f44d663 
Signed-off-by: Kyle Steere <kyle.steere@chainguard.dev>
@kbsteere kbsteere force-pushed the cve-tez-0.10.4-r7-aae6647fcfc8585ec1f565eb1891bc20 branch from 5d86c84 to f44d663 Compare May 13, 2025 20:49
@kbsteere
Copy link
Member

kbsteere commented May 13, 2025

Advisories for un-patched packages: wolfi-dev/advisories#18778

@kbsteere kbsteere requested a review from a team May 13, 2025 20:53
This was referenced May 13, 2025
Closed
Closed
Closed
Closed
@kwmonroe kwmonroe merged commit 9100f4f into main May 13, 2025
16 of 17 checks passed
@kwmonroe kwmonroe deleted the cve-tez-0.10.4-r7-aae6647fcfc8585ec1f565eb1891bc20 branch May 13, 2025 21:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kwmonroe kwmonroe kwmonroe approved these changes

Assignees

@kbsteere kbsteere

Labels

ai/skip-comment Stop AI from commenting on PR auto-approver-bot/initial-checks-failed automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. GHSA-4g8c-wm8x-jfhw manual/review-needed maven/pombump request-cve-remediation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kbsteere @kwmonroe