wildfly/35.0.1-r0: cve remediation

[octo-sts]

wildfly/35.0.1-r0: fix GHSA-389x-839f-4rhx

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/wildfly.advisories.yaml

Source code for this service: https://go/cve-remedy-automation-source

Logs for this execution: https://go/cve-remedy-automation-logs

Docs for this service: (not provided yet)

[octo-sts]

⚠️ EXPERIMENTAL

Please use 👍 or 👎 on this comment to indicate if you agree or disagree with the recommendation.

To provide more detailed feedback please comment on the recommendation prefixed with /ai-verify:

e.g. /ai-verify partially helpful but I also added bash to the build environment

Gen AI suggestions to solve the build error:

Based on the build error output, I'll analyze and provide a solution:

• Detected Error:

[WARNING] The POM for io.netty:netty-common:jar:4.1.118 is missing, no dependency information available

• Error Category: Dependency

• Failure Point: Maven dependency resolution during build process

• Root Cause Analysis:
The build is failing because it's trying to use netty-common version 4.1.118 which appears to be invalid or unavailable in the configured repositories. This appears to be a transitive dependency through the netty components.

• Suggested Fix:
Add explicit dependency management to force netty-common to use the same version as other netty components (4.1.116.Final):

environment:
  contents:
    packages:
      - build-base
      - busybox
      - ca-certificates-bundle
      - curl
      - maven
      - openjdk-17
      - openjdk-21

pipeline:
  - uses: git-checkout
    with:
      repository: https://github.com/wildfly/wildfly
      tag: ${{package.version}}.Final
      expected-commit: 1ffef94b7a7ababb767b0dd20f7c0d754388ad12

  - uses: maven/pombump
    with:
      pomFile: pom.xml
      dependencies:
        - groupId: io.netty
          artifactId: netty-common
          version: 4.1.116.Final

• Explanation:
This fix enforces consistent netty component versions across the build. The version 4.1.116.Final is already being used by other netty components in the build, so enforcing this version for netty-common should resolve the dependency conflict.

• Additional Notes:

• All other netty components are using 4.1.116.Final
• The version 4.1.118 seems to be an incorrect reference
• This is a common issue when dealing with transitive dependencies in large projects

• References:

• https://netty.io/wiki/user-guide-for-4.x.html
• https://github.com/netty/netty/releases
• https://github.com/wildfly/wildfly/blob/main/pom.xml

[hbh7]

Epoch is so high due to several failed remediation attempts, a withdraw (54cc832) and readd, and maybe a third thing I'm forgetting. This'll ensure it's actually the latest used build.

[jamonation]

Thanks for digging into this @hbh7 - totally my fault, I led @tip226 astray with all the withdraws etc. and didn't realize there was work in progress for untriaged CVEs. Appreciate your help!

[hbh7]

Happy to help out and get to the bottom of everything, great teaching moment too haha :)