Skip to content

celeborn-0.5/0.5.4-r0: cve remediation #54133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 1 commit into from
Closed

celeborn-0.5/0.5.4-r0: cve remediation #54133

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented May 23, 2025

celeborn-0.5/0.5.4-r0: fix GHSA-4g8c-wm8x-jfhw

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/celeborn-0.5.advisories.yaml

"Breadcrumbs" for this automated service

@octo-sts
Copy link
Contributor Author

octo-sts bot commented May 23, 2025

📦 Build Failed: Missing Dependency

package io.netty.handler.ssl does not exist

Build Details

Category Details
Build System Maven/Scala
Failure Point net.alchim31.maven:scala-maven-plugin:4.9.2:compile (scala-compile-first)

Root Cause Analysis 🔍

The build is missing the Netty dependencies required for SSL, streaming, timeout handling, and logging. Multiple Java source files are referencing Netty packages (io.netty.handler.ssl, io.netty.handler.stream, io.netty.handler.timeout, io.netty.handler.logging) that are not available in the classpath, causing compilation errors.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: celeborn-0.5/pombump-properties.yaml

  • create
    Content:
properties:
  - property: netty-version
    value: 4.1.118.Final
Click to expand fix analysis

Analysis

The error indicates missing Netty dependencies, specifically from io.netty.handler.ssl package. In the similar fixed issue (#42316), the solution involved updating the Netty version by modifying the pombump-properties.yaml file to use a more recent version of Netty. The error patterns are identical - both failures involve missing Netty handler classes during compilation. The key insight is that the celeborn package needs to have its Maven build configuration updated to include or properly version the required Netty dependencies that contain the SSL, streaming, timeout, and logging handler packages.

Click to expand fix explanation

Explanation

The current build failure shows that classes from the io.netty.handler.ssl package are missing during compilation, along with other Netty handler packages. This is likely because either the Netty dependencies are missing altogether or an incompatible version is being used.

By creating a pombump-properties.yaml file with the latest stable Netty version (4.1.118.Final), we're instructing the Maven build system to use this specific version for all Netty dependencies in the project. This is the same approach that worked in the similar fixed issue.

The pombump feature in Melange reads these property files and modifies the Maven POM files appropriately before the build starts. This ensures that the correct versions of dependencies are used without having to manually edit the original source code's POM files.

The netty-version property will be applied to all Netty dependencies in the project's POM files, ensuring that the required handler modules (including SSL, streaming, timeout, and logging) are available at compile time with a compatible version.

Click to expand alternative approaches

Alternative Approaches

  • Create a pombump-deps.yaml file to explicitly add the missing Netty modules as dependencies: io.netty:netty-handler-ssl, io.netty:netty-handler-stream, io.netty:netty-handler-timeout, and io.netty:netty-handler-logging.
  • Modify the Maven build command to include the missing dependencies using the -Dnetty.version flag directly in the runs script.
  • Create a patches directory with a custom patch file that directly modifies the project's pom.xml files to include the missing dependencies.

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label May 23, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented May 26, 2025

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-h2mf-j788-9q69 has the latest event type of "pending-upstream-fix": https://github.com/wolfi-dev/advisories/blob/main/celeborn-0.5.advisories.yaml

ID:      CGA-h2mf-j788-9q69
Package: celeborn-0.5
Aliases: CVE-2025-24970 GHSA-4g8c-wm8x-jfhw
Events:
  - "scan/v1" at 2025-05-22 16:20:02 UTC
  - "pending-upstream-fix" at 2025-05-22 19:16:57 UTC

@octo-sts octo-sts bot closed this May 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR automated pr celeborn-0.5 GHSA-4g8c-wm8x-jfhw maven/pombump request-cve-remediation service:cve-pr-closer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant