apache-pulsar/4.0.6-r1: cve remediation

[octo-sts]

apache-pulsar/4.0.6-r1: fix GHSA-3p8m-j85q-pgmj

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/apache-pulsar.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

📦 Build Failed: Missing Dependency

package io.netty.buffer does not exist

Build Details

Category	Details
Build System	Maven
Failure Point	maven-compiler-plugin:3.11.0:compile (default-compile) on project java-test-plugins

Root Cause Analysis 🔍

The Netty dependency is missing from the classpath. Multiple Java source files are trying to import Netty packages (io.netty.buffer, io.netty.channel, io.netty.channel.socket) but these packages are not available, causing compilation failures. This indicates that the Netty library dependency is either missing from the pom.xml file or not properly resolved during the Maven build process.

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[stevebeattie]

The vendored statically linked netty-tcnative windows dll v2.0.73 has started being flagged by malcontent as matching the NitrogenLoader Config Extraction malware; both virustotal and Hybrid Analyze also flag this DLL, for unknown reasons. The v2.0.72 version does not get flagged. See the upstream report at netty/netty-tcnative#938 .

This should be safe for linux image consumers as the windows dll should not be used (so marking this as reviewed), but it also raises the question as to whether or not (a) the packaging can be adjusted to not include statically linked windows DLLs and (b) statically linked SSL libraries could possibly cause problems for FIPs version of packaging.