kserve-modelmesh/0.12.0-r13: cve remediation

[octo-sts]

kserve-modelmesh/0.12.0-r13: fix GHSA-4g8c-wm8x-jfhw

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/kserve-modelmesh.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

📦 Build Failed: Missing Dependency

package io.netty.handler.ssl does not exist

Build Details

Category	Details
Build System	Maven
Failure Point	mvn -B package -Dfile.encoding=UTF8 -DskipTests=true --file pom.xml

Root Cause Analysis 🔍

The Netty SSL handler dependency is missing from the classpath. Multiple Java source files are trying to import io.netty.handler.ssl.* packages but these are not available, causing compilation failures. This suggests that either the netty-handler dependency is not included in the Maven pom.xml, or there's a version mismatch where the SSL handler classes are not present in the included Netty version.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• kserve-modelmesh/0.12.0-r6: cve remediation #42316

Suggested Changes

File: kserve-modelmesh/pombump-properties.yaml

• version_update at line 3 (netty-version property)
  Original:

value: "4.1.115.Final"

Replacement:

value: 4.1.118.Final

Content:

Update Netty version to 4.1.118.Final to include SSL handler classes

Click to expand fix analysis

Analysis

The similar fix shows that Netty SSL handler dependency issues were resolved by updating the Netty version from 4.1.115.Final to 4.1.118.Final through the pombump-properties.yaml file. The pattern indicates that newer Netty versions include better SSL handler support or fix missing SSL classes. The fix also involved incrementing the epoch and reformatting the pombump configuration files for consistency.

Click to expand fix explanation

Explanation

The suggested fix updates the Netty version from 4.1.115.Final to 4.1.118.Final, which should resolve the missing io.netty.handler.ssl package issue. Netty 4.1.118.Final includes the SSL handler classes that are required by the kserve-modelmesh project. The similar fix demonstrates this exact pattern - when SSL handler classes are missing, updating to a newer Netty version that properly includes these classes resolves the compilation errors. The maven/pombump mechanism will automatically apply this version update to the project's pom.xml during the build process, ensuring the correct Netty dependencies are included in the classpath.

Click to expand alternative approaches

Alternative Approaches

• Create a separate pombump-deps.yaml entry to explicitly add netty-handler as a dependency
• Investigate if a different Netty module (like netty-all) needs to be included instead of individual components
• Check if the project's Maven configuration excludes certain Netty modules that need to be explicitly included

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-v2hv-cwjf-vh29 has the latest event type of "pending-upstream-fix": https://github.com/wolfi-dev/advisories/blob/main/kserve-modelmesh.advisories.yaml

ID:      CGA-v2hv-cwjf-vh29
Package: kserve-modelmesh
Aliases: CVE-2025-24970 GHSA-4g8c-wm8x-jfhw
Events:
  - "scan/v1" at 2025-02-11 09:34:08 UTC
  - "fixed" at 2025-02-24 19:09:02 UTC
  - "scan/v1" at 2025-08-07 00:05:17 UTC
  - "pending-upstream-fix" at 2025-08-07 02:50:38 UTC