Skip to content

sonarqube/25.6.0.109173-r0: cve remediation #56970

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 1 commit into from
Closed

sonarqube/25.6.0.109173-r0: cve remediation #56970

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Jun 18, 2025

sonarqube/25.6.0.109173-r0: fix GHSA-389x-839f-4rhx

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/sonarqube.advisories.yaml

"Breadcrumbs" for this automated service

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jun 18, 2025

⚙️ Build Failed: Configuration

Error: failed to parse the pom file: open pom.xml: no such file or directory

Build Details

Category Details
Build System Maven
Failure Point maven/pombump step

Root Cause Analysis 🔍

The build process couldn't find the expected pom.xml file which is required for Maven builds. This indicates either the file is missing from the repository at the specified tag (25.6.0.109173), or it's located in a different directory than expected.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: sonarqube.yaml

  • replace at line pipeline section (maven/pombump step)
    Original:
  - uses: maven/pombump

Replacement:

  - uses: maven/pombump
    with:
      optional: true

Content:

Make the maven/pombump step optional since SonarQube uses Gradle
Click to expand fix analysis

Analysis

The error "failed to parse the pom file: open pom.xml: no such file or directory" indicates that the Maven pombump step is failing because it cannot find a pom.xml file in the expected location. The SonarQube project appears to use Gradle for its build system, not Maven, similar to the Cassandra example where Ant was used instead of Maven.

In the similar fixed example, the solution was to:

  1. Specify a custom path to a pom.xml file
  2. Create a separate YAML file for dependency patches
  3. Configure the maven/pombump step with the appropriate parameters

This pattern suggests that for projects not primarily using Maven (but using Gradle, Ant, etc.), we need to either point to an existing pom.xml file elsewhere in the project structure or skip the maven/pombump step entirely if it's not needed.

Click to expand fix explanation

Explanation

The suggested change makes the maven/pombump step optional, which will allow the build to continue even if no pom.xml file is found. This approach is appropriate because SonarQube is primarily built with Gradle, as indicated by the ./gradlew build command in the build step.

The error occurs because the build process is looking for a Maven pom.xml file that doesn't exist in the expected location, but it's not actually needed for this Gradle-based project. By marking the step as optional, we allow the pipeline to gracefully handle the absence of a pom.xml file without failing.

The root cause is similar to the Cassandra example where the project used a different build system (Ant) instead of Maven. In both cases, the solution is to adjust the maven/pombump step to account for the fact that the primary build system is not Maven.

Click to expand alternative approaches

Alternative Approaches

  • Add a specific path to an existing pom.xml if one exists somewhere in the SonarQube repository structure by using 'pom: path/to/pom.xml' parameter
  • Create a minimal pom.xml template file in the package directory and reference it with 'pom: ./path-to-template.xml'
  • Remove the maven/pombump step entirely if it's not needed for the build process
  • Examine the SonarQube repository to see if there are any Maven modules that could be referenced

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Jun 18, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jun 19, 2025

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-v6r9-fr9j-c8hr has the latest event type of "false-positive-determination": https://github.com/wolfi-dev/advisories/blob/main/sonarqube.advisories.yaml

ID:      CGA-v6r9-fr9j-c8hr
Package: sonarqube
Aliases: CVE-2025-25193 GHSA-389x-839f-4rhx
Events:
  - "scan/v1" at 2025-03-06 04:30:13 UTC
  - "false-positive-determination" at 2025-06-19 06:05:06 UTC

@octo-sts octo-sts bot closed this Jun 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR automated pr GHSA-389x-839f-4rhx maven/pombump request-cve-remediation service:cve-pr-closer sonarqube

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants