celeborn-0.5/0.5.4-r6: cve remediation

[octo-sts]

celeborn-0.5/0.5.4-r6: fix GHSA-3p8m-j85q-pgmj

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/celeborn-0.5.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

📦 Build Failed: Missing Dependency

package io.netty.handler.codec does not exist

Build Details

Category	Details
Build System	Maven
Failure Point	Java compilation during scala-maven-plugin:4.9.2:compile (scala-compile-first) goal execution

Root Cause Analysis 🔍

The Netty codec dependency is missing from the classpath. Multiple Java source files are trying to import io.netty.handler.codec package which cannot be found, causing compilation failures. This suggests that the netty-codec dependency is not properly included in the Maven dependencies or the version being used doesn't contain the required codec classes.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• apache-pulsar/4.0.6-r0: cve remediation #63146
• kserve-modelmesh/0.12.0-r6: cve remediation #42316

Suggested Changes

File: celeborn-0.5/pombump-properties.yaml

• file_creation
  Replacement:

properties:
  - property: netty.version
    value: "4.1.124.Final"

Content:

Create a new pombump-properties.yaml file to specify the Netty version property

File: celeborn-0.5.yaml

• pipeline_step_addition (After the existing maven/pombump step)
  Original:

  - uses: maven/pombump

Replacement:

  - uses: maven/pombump

  - uses: maven/pombump
    with:
      patch-file: pombump-properties.yaml

Click to expand fix analysis

Analysis

Both similar fixes addressed Netty dependency issues by updating the netty.version property in Maven POM files. Fix #0 added a new pombump-properties.yaml file to set netty.version to "4.1.124.Final" for apache-pulsar, while Fix #1 updated an existing pombump-properties.yaml file to change netty-version from "4.1.115.Final" to "4.1.118.Final" for kserve-modelmesh. The pattern shows that Netty dependency issues are typically resolved by ensuring the correct Netty version is specified in Maven properties, which makes all Netty modules (including codec, buffer, ssl, etc.) available at the specified version.

Click to expand fix explanation

Explanation

The current build failure is caused by the missing io.netty.handler.codec package during compilation. Based on the similar fixes, this is a classic Netty dependency versioning issue. The celeborn project likely has Netty dependencies declared in its POM files, but without a specific version property set, Maven may be resolving to an incompatible or incomplete version of Netty libraries. By creating a pombump-properties.yaml file that sets the netty.version property to a known stable version (4.1.124.Final, which was successfully used in the apache-pulsar fix), we ensure that all Netty modules including the codec handlers are available at a consistent version. The additional maven/pombump step in the pipeline will apply this version property during the build process, making the io.netty.handler.codec package available to the compilation phase.

Click to expand alternative approaches

Alternative Approaches

• Use a different Netty version like 4.1.118.Final (as used in the kserve-modelmesh fix) if 4.1.124.Final proves incompatible
• Add explicit Netty dependencies to a pombump-deps.yaml file instead of just setting the version property
• Check if the celeborn project uses a different property name for Netty version (like 'netty-version' instead of 'netty.version') and adjust accordingly

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[jamie-albert]

#65719