apache-pulsar/4.0.6-r1: cve remediation

[octo-sts]

apache-pulsar/4.0.6-r1: fix GHSA-fghv-69vj-qj49

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/apache-pulsar.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

📦 Build Failed: Missing Dependency

package io.netty.buffer does not exist

Build Details

Category	Details
Build System	Maven
Failure Point	maven-compiler-plugin:3.11.0:compile (default-compile) on project java-test-plugins

Root Cause Analysis 🔍

Missing Netty dependency packages (io.netty.buffer, io.netty.channel, io.netty.channel.socket) required for compilation. The Java source files are trying to import Netty classes but the Netty libraries are not available in the classpath, causing multiple compilation failures across LoggingBrokerInterceptor.java, EchoChannelHandler.java, and EchoProtocolHandler.java files.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• apache-pulsar/4.0.6-r0: cve remediation #63146

Suggested Changes

File: apache-pulsar/pombump-properties.yaml

• create_file (entire file)
  Original:

file does not exist

Replacement:

properties:
  - property: netty.version
    value: "4.1.124.Final"

Content:

properties:
  - property: netty.version
    value: "4.1.124.Final"

Click to expand fix analysis

Analysis

The fix example shows a pattern where Netty dependency issues are resolved by adding a pombump-properties.yaml file that explicitly sets the Netty version property (netty.version). The fix involved creating a new properties file with the Netty version set to "4.1.124.Final" and adding an additional maven/pombump step in the pipeline that applies this properties file to the buildtools/pom.xml. This ensures that Maven has the correct Netty version available during the build process.

Click to expand fix explanation

Explanation

The fix works by explicitly setting the Netty version in Maven's property system through a pombump properties file. The current build failure occurs because the Maven build cannot resolve Netty dependencies (io.netty.buffer, io.netty.channel, etc.). By creating the pombump-properties.yaml file with the netty.version property set to "4.1.124.Final", Maven will have a concrete version to resolve for all Netty dependencies. The existing pipeline already has the maven/pombump step that applies this properties file to buildtools/pom.xml, so no changes to the main YAML are needed. This approach ensures that all Netty-related dependencies are resolved consistently with the specified version, making the required packages available in the classpath during compilation.

Click to expand alternative approaches

Alternative Approaches

• Update the upstream Pulsar project's pom.xml files directly to include explicit Netty dependencies with proper versions
• Add Netty packages to the build environment contents if Wolfi has packaged Netty separately
• Use a different patch approach to modify the main pom.xml to include Netty dependencies explicitly

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-vqpg-qrw9-gjxv has the latest event type of "fixed": https://github.com/wolfi-dev/advisories/blob/main/apache-pulsar.advisories.yaml

ID:      CGA-vqpg-qrw9-gjxv
Package: apache-pulsar
Aliases: CVE-2025-58056 GHSA-fghv-69vj-qj49
Events:
  - "scan/v1" at 2025-09-06 07:08:58 UTC
  - "fixed" at 2025-09-10 08:04:46 UTC