sonarqube-10/25.5.0.107428-r1: cve remediation

[octo-sts]

sonarqube-10/25.5.0.107428-r1: fix GHSA-wxr5-93ph-8wr9

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/sonarqube-10.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

⚙️ Build Failed: Configuration

Error: failed to parse the pom file: open pom.xml: no such file or directory

Build Details

Category	Details
Build System	maven/pombump
Failure Point	pombump [flags]

Root Cause Analysis 🔍

The build process was trying to use the 'pombump' tool to modify the pom.xml file, but the file does not exist in the expected location. This indicates a configuration issue where the build script is attempting to modify a Maven project file that is not present in the SonarQube repository, which may be using Gradle instead of Maven as its build system.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• cassandra-5.0/5.0.3-r0: cve remediation #42330

Suggested Changes

File: sonarqube-10.yaml

• replace at line 48-49 (pipeline section - maven/pombump uses block)
  Original:

  - uses: maven/pombump

Replacement:

  - uses: maven/pombump
    with:
      pom: ./pom.xml
      patch-file: pombump-deps.yaml

Content:

Replace the simple maven/pombump directive with a configured version that specifies the pom file location and a patch file

File: sonarqube-10/pombump-deps.yaml

• add at line 1-7 (new file)
  Replacement:

patches:
  # Add specific dependency version overrides here
  # For example:
  # - groupId: org.example
  #   artifactId: example-library
  #   version: 1.2.3

Content:

Create a new pombump-deps.yaml file to specify dependency versions that need to be updated

File: sonarqube-10.yaml

• replace at line 48-49 (pipeline section - alternative approach to remove maven/pombump)
  Original:

  - uses: maven/pombump

Replacement:

  # SonarQube uses Gradle, not Maven, so pombump is not needed

Content:

Alternative approach: completely remove the maven/pombump step since SonarQube uses Gradle

Click to expand fix analysis

Analysis

The build failure in both cases relates to the maven/pombump tool not being able to find a pom.xml file. In the fixed example (cassandra-5.0.yaml), the issue was addressed by:

1. Explicitly specifying the location of the pom file using the pom parameter
2. Adding a patch-file parameter to point to a separate YAML file containing dependency updates
3. This approach was necessary because Cassandra uses Ant rather than Maven for its build system, similar to how the current SonarQube build uses Gradle instead of Maven.

The core pattern is that when a project doesn't use Maven as its primary build system (using Ant or Gradle instead), the pombump tool needs explicit configuration to locate the pom file or should be removed if not needed.

Click to expand fix explanation

Explanation

The build is failing because SonarQube uses Gradle as its build system, not Maven. This is evident from the build command in the YAML file: ./gradlew build -x test -DbuildNumber=${{vars.build-number}}.

The maven/pombump tool is designed to work with Maven projects that have a pom.xml file, but since SonarQube is a Gradle project, there is no pom.xml in the expected location, causing the error: "Error: failed to parse the pom file: open pom.xml: no such file or directory".

The suggested changes offer two approaches:

1. Configure the maven/pombump tool with explicit parameters to locate a pom.xml file and provide a patch-file. This approach mirrors what was done in the Cassandra case, where a specific pom file was specified along with a dedicated patch file. If SonarQube has a pom.xml somewhere in its repository (perhaps for a specific component), this approach would work.

2. Remove the maven/pombump step entirely. Since SonarQube uses Gradle, it's likely that the pombump tool isn't necessary for this build. The Gradle build system can manage dependencies without needing to modify a pom.xml file.

The root cause of the failure is a mismatch between the build configuration (trying to use Maven tools) and the actual project structure (using Gradle). Either specifying the correct pom file location or removing the unnecessary Maven tool should resolve the issue.

Click to expand alternative approaches

Alternative Approaches

• If SonarQube does use Maven for some components, locate the correct pom.xml file path in the repository and update the 'pom' parameter accordingly.
• Check if there's a Gradle equivalent to pombump that could be used instead to manage dependency versions in the Gradle build files.
• If dependency version management is necessary, consider using a direct patch to the build.gradle files instead of trying to use Maven tools.

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[jamie-albert]

wolfi-dev/advisories#19004

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-m45m-v2vx-mjqx has the latest event type of "pending-upstream-fix": https://github.com/wolfi-dev/advisories/blob/main/sonarqube-10.advisories.yaml

ID:      CGA-m45m-v2vx-mjqx
Package: sonarqube-10
Aliases: CVE-2025-48734 GHSA-wxr5-93ph-8wr9
Events:
  - "scan/v1" at 2025-05-29 09:41:49 UTC
  - "pending-upstream-fix" at 2025-05-30 00:15:34 UTC