Skip to content

kserve-modelmesh/0.12.0-r15: cve remediation #65233

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 1 commit into from
Closed

kserve-modelmesh/0.12.0-r15: cve remediation #65233

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Sep 4, 2025

kserve-modelmesh/0.12.0-r15: fix GHSA-3p8m-j85q-pgmj

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/kserve-modelmesh.advisories.yaml

"Breadcrumbs" for this automated service

@octo-sts octo-sts bot added P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. automated pr GHSA-3p8m-j85q-pgmj kserve-modelmesh maven/pombump request-cve-remediation labels Sep 4, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Sep 4, 2025

📦 Build Failed: Missing Dependency

/home/build/src/main/java/com/ibm/watson/modelmesh/ProtoSplicer.java:[24,39] package io.netty.handler.codec.protobuf does not exist

Build Details

Category Details
Build System Maven
Failure Point maven-compiler-plugin:3.8.1:compile (default-compile)

Root Cause Analysis 🔍

Missing Netty codec dependencies - the required packages io.netty.handler.codec.protobuf and io.netty.handler.codec.base64 are not available in the classpath, despite Netty jars being downloaded. This suggests the specific Netty codec modules containing these packages are missing from the dependency configuration.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: kserve-modelmesh.yaml

  • addition at line after line with 'uses: maven/pombump' (after the existing maven/pombump step)
    Original:
  - uses: maven/pombump

Replacement:

  - uses: maven/pombump

  - uses: maven/pombump
    with:
      patch-file: pombump-netty.yaml

Content:

Add a second pombump step to apply Netty version properties

File: kserve-modelmesh/pombump-netty.yaml

  • creation (new file in kserve-modelmesh directory)
    Replacement:
properties:
  - property: netty.version
    value: "4.1.124.Final"

Content:

Create new properties file to explicitly set Netty version for codec modules
Click to expand fix analysis

Analysis

The similar fix shows a pattern where Netty dependency issues are resolved by adding a pombump operation with a properties patch file that explicitly sets the Netty version. In the example, a pombump-properties.yaml file was created to specify netty.version: "4.1.124.Final", and an additional pombump step was added to the pipeline to apply this property override to ensure the correct Netty version and modules are included in the build.

Click to expand fix explanation

Explanation

This fix should work because the current error indicates that specific Netty codec packages (io.netty.handler.codec.protobuf) are missing from the classpath. The similar fix shows that when Netty buffer packages were missing, the solution was to explicitly set the Netty version through Maven properties using a pombump patch file. By setting netty.version to a known working version (4.1.124.Final), Maven will ensure that all Netty modules including the codec handlers are properly resolved and included in the classpath. The pombump mechanism allows us to override Maven properties without modifying the original pom.xml, which is ideal for package management in Wolfi OS.

Click to expand alternative approaches

Alternative Approaches

  • Instead of using a separate properties file, the Netty version could be set directly in the main pombump configuration, but using a separate file provides better maintainability
  • The Maven build command could be modified to explicitly include Netty codec dependencies using -D flags, but this is less maintainable than fixing the dependency resolution
  • A different Netty version could be tested if 4.1.124.Final doesn't work, but this version was successful in the similar fix

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Sep 4, 2025
@jamie-albert
Copy link
Member

jamie-albert commented Sep 10, 2025

#65719

@dnegreira dnegreira closed this Sep 10, 2025
@dnegreira dnegreira deleted the cve-kserve-modelmesh-0.12.0-r15-efe4e7b6711536ffd39e102d336e4e69 branch September 10, 2025 08:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jamie-albert jamie-albert

Labels

ai/skip-comment Stop AI from commenting on PR automated pr GHSA-3p8m-j85q-pgmj kserve-modelmesh maven/pombump P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. request-cve-remediation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jamie-albert @dnegreira