Skip to content

sonarqube/25.6.0.109173-r0: cve remediation #56971

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 1 commit into from
Closed

sonarqube/25.6.0.109173-r0: cve remediation #56971

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Jun 18, 2025

sonarqube/25.6.0.109173-r0: fix GHSA-4g8c-wm8x-jfhw

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/sonarqube.advisories.yaml

"Breadcrumbs" for this automated service

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jun 18, 2025

⚙️ Build Failed: Configuration

Error: failed to parse the pom file: open pom.xml: no such file or directory

Build Details

Category Details
Build System Maven/Java
Failure Point pombump pom.xml step in the build pipeline

Root Cause Analysis 🔍

The build process was attempting to use the 'pombump' tool to modify the Maven pom.xml file, but the file could not be found at the expected location. This indicates that either the source code structure doesn't match what the build pipeline expected, or the repository doesn't use Maven as assumed by the build configuration.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: sonarqube.yaml

  • remove at line 45 (pipeline section)
    Original:
  - uses: maven/pombump
Click to expand fix analysis

Analysis

The pattern observed in similar fixed build failures shows that the error "failed to parse the pom file: open pom.xml: no such file or directory" typically occurs when the build system configuration assumes a Maven project structure (with a pom.xml file) but the actual project uses a different build system. In the similar fixes:

  1. The first example (cassandra-5.0) fixed the issue by specifying the exact path to a pom.xml file by adding a path parameter to the maven/pombump step.
  2. The second example (selenium) had a fundamentally different build system (Bazel instead of Maven), and the fix involved adding a patch file to handle dependency versioning rather than using pombump.

Looking at the current sonarqube build failure, the issue is similar - the maven/pombump step is failing because it can't find a pom.xml file, but SonarQube uses Gradle as its build system, not Maven.

Click to expand fix explanation

Explanation

The build failure is occurring because the Melange YAML file for SonarQube is attempting to use the maven/pombump step, but SonarQube uses Gradle as its build system, not Maven. This is evident from the build step later in the pipeline that uses ./gradlew build.

Removing the maven/pombump step from the pipeline should resolve the error since:

  1. The project doesn't use Maven - it uses Gradle (evidenced by the ./gradlew build command in the build step)
  2. There is no pom.xml file in the repository, which is why the error is occurring
  3. The pombump step isn't actually necessary for building this package since the versioning is already handled by the Gradle build with the -DbuildNumber=${{vars.build-number}} parameter

This approach is similar to what was done in the selenium example, where the inappropriate Maven tooling was removed in favor of a build system that matches what the project actually uses.

Click to expand alternative approaches

Alternative Approaches

  • If there are dependency version constraints that need to be managed, consider creating a patch file that updates the versions in the appropriate Gradle build files instead of using pombump
  • If Maven is needed for some specific dependencies, you could add a custom step to generate a minimal pom.xml file before the pombump step
  • If certain Java dependencies need version bumping for security reasons, you could use the patch step to apply those changes directly to the build.gradle files

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Jun 18, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jun 19, 2025

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-rmgj-x5xj-3c37 has the latest event type of "pending-upstream-fix": https://github.com/wolfi-dev/advisories/blob/main/sonarqube.advisories.yaml

ID:      CGA-rmgj-x5xj-3c37
Package: sonarqube
Aliases: CVE-2025-24970 GHSA-4g8c-wm8x-jfhw
Events:
  - "scan/v1" at 2025-03-06 04:30:17 UTC
  - "pending-upstream-fix" at 2025-06-19 06:05:06 UTC

@octo-sts octo-sts bot closed this Jun 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR automated pr GHSA-4g8c-wm8x-jfhw maven/pombump request-cve-remediation service:cve-pr-closer sonarqube

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant