Skip to content

sonarqube/25.6.0.109173-r0: cve remediation #56973

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 1 commit into from
Closed

sonarqube/25.6.0.109173-r0: cve remediation #56973

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Jun 18, 2025

sonarqube/25.6.0.109173-r0: fix GHSA-wxr5-93ph-8wr9

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/sonarqube.advisories.yaml

"Breadcrumbs" for this automated service

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jun 18, 2025

⚙️ Build Failed: Configuration

Error: failed to parse the pom file: open pom.xml: no such file or directory

Build Details

Category Details
Build System Maven
Failure Point pombump pom.xml command in maven/pombump step

Root Cause Analysis 🔍

The build process expected to find a pom.xml file in the repository root directory, but the file was not found. This indicates a configuration mismatch - either the wrong directory is being used, the repository structure is different than expected, or the repository doesn't use Maven as its build system.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: sonarqube.yaml

  • remove at line 44 (pipeline section)
    Original:
  - uses: maven/pombump
Click to expand fix analysis

Analysis

The pattern in similar fixed build failures shows that the error "failed to parse the pom file: open pom.xml: no such file or directory" occurs when the maven/pombump step is used on projects that either:

  1. Don't use Maven as their build system (using Ant, Bazel, or in this case, Gradle)
  2. Have pom.xml files located in non-standard locations

In both previous examples, the fix involved either:

  • Specifying the correct path to the pom.xml file (Fix Example #0 for Cassandra)
  • Adding a patch file that manually updates dependencies without relying on pombump (Fix Example Add binutils-2.39 configuration #1 for Selenium)

Looking at the sonarqube.yaml file, it's using Gradle for building ("./gradlew build") but still includes the maven/pombump step without specifying a pom.xml location.

Click to expand fix explanation

Explanation

The build is failing because the maven/pombump step is trying to find a pom.xml file in the root directory of the SonarQube repository, but SonarQube uses Gradle as its build system, not Maven. This is evident from the build command in the pipeline that uses Gradle: "./gradlew build -x test -DbuildNumber=${{vars.build-number}}".

While SonarQube might have some Maven pom.xml files in subdirectories for certain components, it's primarily a Gradle-based project, and the maven/pombump step is unnecessary for the build process. The step is attempting to parse and potentially modify Maven dependencies, but since the project doesn't have a pom.xml in the root directory where pombump is looking, the build fails.

Removing the maven/pombump step entirely will allow the build to proceed directly to the patching and Gradle build steps, which is the correct approach for this Gradle-based project. The Gradle build system will handle dependency management on its own without needing the Maven-specific pombump step.

Click to expand alternative approaches

Alternative Approaches

  • If there are specific dependency updates needed, we could locate the pom.xml files within the project (if they exist in subdirectories) and specify the correct path in the maven/pombump step, similar to the Cassandra fix: '- uses: maven/pombump
    with:
    pom: ./path/to/pom.xml'
  • Create a dependency patch file and use it with the patch step instead of using maven/pombump, similar to the Selenium fix where they created a 'bump-netty.patch' file to update dependencies
  • If dependency updates are needed for security reasons, modify the Gradle build files directly with a patch to update specific dependencies

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Jun 18, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jun 19, 2025

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-jg27-23w9-m7hp has the latest event type of "pending-upstream-fix": https://github.com/wolfi-dev/advisories/blob/main/sonarqube.advisories.yaml

ID:      CGA-jg27-23w9-m7hp
Package: sonarqube
Aliases: CVE-2025-48734 GHSA-wxr5-93ph-8wr9
Events:
  - "scan/v1" at 2025-06-18 17:16:38 UTC
  - "pending-upstream-fix" at 2025-06-19 06:05:06 UTC

@octo-sts octo-sts bot closed this Jun 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR automated pr GHSA-wxr5-93ph-8wr9 maven/pombump request-cve-remediation service:cve-pr-closer sonarqube

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant