Skip to content

selenium/4.28.0-r0: cve remediation #42311

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
OddBloke merged 3 commits into from
Feb 21, 2025
Merged

selenium/4.28.0-r0: cve remediation #42311

OddBloke merged 3 commits into from
Feb 21, 2025

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Feb 11, 2025

selenium/4.28.0-r0: fix GHSA-4g8c-wm8x-jfhw

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/selenium.advisories.yaml

Source code for this service: https://go/cve-remedy-automation-source

Logs for this execution: https://go/cve-remedy-automation-logs

Docs for this service: (not provided yet)

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Feb 11, 2025

⚠️ EXPERIMENTAL

Please use 👍 or 👎 on this comment to indicate if you agree or disagree with the recommendation.

To provide more detailed feedback please comment on the recommendation prefixed with /ai-verify:

e.g. /ai-verify partially helpful but I also added bash to the build environment

Gen AI suggestions to solve the build error:

• Detected Error: "Error: failed to parse the pom file: open pom.xml: no such file or directory"

• Error Category: Build Configuration

• Failure Point: maven/pombump step in pipeline

• Root Cause Analysis:
The build is failing because it's trying to use the maven/pombump step but there's no pom.xml file in the Selenium repository. This is because Selenium uses Bazel as its build system, not Maven.

• Suggested Fix:
Remove the maven/pombump step from the pipeline since it's not needed:

pipeline:
  - uses: git-checkout
    with:
      repository: https://github.com/SeleniumHQ/selenium
      tag: selenium-${{package.version}}
      expected-commit: ac342546e9e34d4ca94eceeb27cce22a4fe3b79f

  - uses: patch
    with:
      patches: ignore-root-user-error.patch

• Explanation:
Selenium switched from Maven to Bazel as its build system. The maven/pombump step is trying to modify a non-existent pom.xml file. Since the project uses Bazel for building, we don't need any Maven-related steps in the pipeline.

• Additional Notes:

  • Selenium has been using Bazel as its build system since version 4.x
  • The remaining pipeline steps using bazel build commands are correct
  • No replacement step is needed as version management is handled through the package.version variable

• References:

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Feb 11, 2025
@kbsteere kbsteere self-assigned this Feb 13, 2025
@OddBloke OddBloke force-pushed the cve-selenium-aae6647fcfc8585ec1f565eb1891bc20 branch from 42ed139 to a10ed7f Compare February 21, 2025 16:51
@OddBloke OddBloke assigned OddBloke and unassigned kbsteere Feb 21, 2025
@octo-sts octo-sts bot added bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. manual/review-needed labels Feb 21, 2025
@OddBloke OddBloke requested a review from a team February 21, 2025 17:03
@OddBloke OddBloke enabled auto-merge February 21, 2025 17:04
@OddBloke OddBloke merged commit 0ed6d30 into main Feb 21, 2025
15 of 16 checks passed
@OddBloke OddBloke deleted the cve-selenium-aae6647fcfc8585ec1f565eb1891bc20 branch February 21, 2025 17:17
This was referenced May 23, 2025
Merged
Closed
Closed
@octo-sts octo-sts bot mentioned this pull request May 30, 2025
Closed
This was referenced Jun 12, 2025
Merged
Closed
Closed
Closed
@octo-sts octo-sts bot mentioned this pull request Jul 1, 2025
Merged
This was referenced Jul 12, 2025
Closed
Closed
Closed
Closed
@octo-sts octo-sts bot mentioned this pull request Aug 14, 2025
Closed
This was referenced Sep 4, 2025
Closed
Closed
Closed
Closed
Closed
@octo-sts octo-sts bot mentioned this pull request Dec 16, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@powersj powersj powersj approved these changes

Assignees

@OddBloke OddBloke

Labels

ai/skip-comment Stop AI from commenting on PR automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. GHSA-4g8c-wm8x-jfhw manual/review-needed maven/pombump request-cve-remediation selenium/4.28.0-r0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@powersj @OddBloke @kbsteere