gradle-8/8.14.1-r0: cve remediation

[octo-sts]

gradle-8/8.14.1-r0: fix GHSA-vrpq-qp53-qv56

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/gradle-8.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

⚙️ Build Failed: Configuration

Error: failed to parse the pom file: open pom.xml: no such file or directory

Build Details

Category	Details
Build System	melange
Failure Point	maven/pombump step

Root Cause Analysis 🔍

The build is attempting to use the 'pombump' tool to modify a Maven POM file, but no pom.xml file exists in the repository. This is likely a configuration error in the build pipeline as Gradle projects don't typically use Maven POM files. The build configuration is incorrectly including a Maven-specific step for a Gradle project.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• cassandra-5.0/5.0.3-r0: cve remediation #42330
• selenium/4.28.0-r0: cve remediation #42311

Suggested Changes

File: gradle-8.yaml

• remove at line 36-37 (pipeline section)
  Original:

  - uses: maven/pombump

Click to expand fix analysis

Analysis

The build failure pattern across examples shows that the Maven pombump step fails when it can't find a pom.xml file, which happens when the build system is trying to use Maven tooling on projects that don't use Maven as their build system. In the provided examples:

1. Cassandra used Ant, not Maven, so the fix was to either point to a specific POM file or remove the Maven step.
2. Selenium used Bazel, not Maven, so the fix was to remove the Maven step and use patches for dependency management.

In the current case, Gradle is being built, which uses its own build system (Gradle), not Maven. The error occurs because the pipeline is attempting to use the Maven pombump tool on a project that doesn't use Maven POM files for dependency management.

Click to expand fix explanation

Explanation

The fix removes the maven/pombump step from the Gradle build pipeline because Gradle doesn't use Maven POM files for its dependency management.

Gradle uses its own build system with build.gradle files instead of Maven's pom.xml files. The pombump tool is designed to modify Maven POM files to update dependencies, but since Gradle doesn't use POM files, this step is causing the build to fail with the error "no such file or directory" when it tries to locate pom.xml.

Looking at both similar fixed build failures, the solution was to either remove the Maven step entirely (as in the Selenium case) or to point it to a specific POM file location where one exists (as in the Cassandra case). Since Gradle is a pure Gradle project with no Maven POM files, removing the step entirely is the appropriate solution.

The build should proceed successfully after this change because:

1. The unnecessary Maven step that's failing will be skipped
2. The rest of the build process will continue with the proper Gradle build commands
3. The dependencies are already being managed through Gradle's own mechanism via the gradlew command

Click to expand alternative approaches

Alternative Approaches

• If there are dependencies that need to be patched, they should be handled through the existing patch system as shown in the Selenium example, where they used patch files to update dependencies instead of pombump
• If Maven dependency management is absolutely necessary for some reason, create a minimal pom.xml file in the repository and point the pombump step to it with the 'pom' parameter, similar to what was done in the Cassandra example

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[kbsteere]

Duplicate of this PR, closing: #54136