kserve-modelmesh/0.12.0-r12: cve remediation

[octo-sts]

kserve-modelmesh/0.12.0-r12: fix GHSA-4g8c-wm8x-jfhw

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/kserve-modelmesh.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

📦 Build Failed: Missing Dependency

package io.netty.handler.ssl does not exist

Build Details

Category	Details
Build System	Maven
Failure Point	maven-compiler-plugin:3.8.1:compile (default-compile)

Root Cause Analysis 🔍

The Netty SSL handler packages are missing from the classpath. The Java source code imports io.netty.handler.ssl.* but the corresponding Netty SSL dependencies are not available or not properly configured in the Maven project dependencies, causing compilation failures across multiple Java files that depend on SSL functionality.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• kserve-modelmesh/0.12.0-r6: cve remediation #42316

Suggested Changes

File: kserve-modelmesh/pombump-properties.yaml

• modification at line 3 (properties section)
  Original:

    value: "4.1.115.Final"

Replacement:

    value: 4.1.118.Final

Content:

Update Netty version to include SSL handler classes

Click to expand fix analysis

Analysis

The similar fix example shows that the issue was resolved by updating the Netty version from "4.1.115.Final" to "4.1.118.Final" in the pombump-properties.yaml file. This suggests that the missing io.netty.handler.ssl package is likely due to an outdated or incompatible Netty version that doesn't include the required SSL handler classes. The fix also involved updating the epoch and reformatting the pombump configuration files, but the key change was the Netty version update.

Click to expand fix explanation

Explanation

The suggested fix addresses the root cause by updating the Netty version to 4.1.118.Final, which includes the missing io.netty.handler.ssl package. The similar fix example demonstrates that this exact version update resolved the same compilation error. The newer Netty version contains the required SSL handler classes that the application is trying to import. The removal of quotes around the version value also follows the corrected format shown in the working example. This change should be made through the Maven pombump mechanism, which will update the underlying POM dependencies to use the correct Netty version that includes all required SSL components.

Click to expand alternative approaches

Alternative Approaches

• Add explicit Netty SSL dependencies to the Maven POM if the version update doesn't resolve all SSL-related classes
• Check if there are any exclusions in the current dependencies that might be removing the SSL handler classes
• Verify that all Netty modules (netty-handler, netty-codec-http, etc.) are using consistent versions

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[EyeCantCU]

Do not merge. Bumping Netty pulls in a new version of gRPC that is incompatible with kserve modelmesh

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-v2hv-cwjf-vh29 has the latest event type of "pending-upstream-fix": https://github.com/wolfi-dev/advisories/blob/main/kserve-modelmesh.advisories.yaml

ID:      CGA-v2hv-cwjf-vh29
Package: kserve-modelmesh
Aliases: CVE-2025-24970 GHSA-4g8c-wm8x-jfhw
Events:
  - "scan/v1" at 2025-02-11 09:34:08 UTC
  - "fixed" at 2025-02-24 19:09:02 UTC
  - "scan/v1" at 2025-08-07 00:05:17 UTC
  - "pending-upstream-fix" at 2025-08-07 02:50:38 UTC