sonarqube/25.7.0.110598-r0: cve remediation

[octo-sts]

sonarqube/25.7.0.110598-r0: fix GHSA-xwmg-2g98-w7v9

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/sonarqube.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

⚙️ Build Failed: Configuration

Error: failed to parse the pom file: open pom.xml: no such file or directory

Build Details

Category	Details
Build System	Maven
Failure Point	pombump pom.xml

Root Cause Analysis 🔍

The build process was looking for a Maven pom.xml file which doesn't exist in the expected location. This is likely due to the package build expecting a Maven project structure, but the repository being cloned has a different structure or the pom.xml file is in a different directory than expected.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• cassandra-5.0/5.0.3-r0: cve remediation #42330
• selenium/4.28.0-r0: cve remediation #42311

Suggested Changes

File: sonarqube.yaml

• remove at line 46
  Original:

  - uses: maven/pombump

Click to expand fix analysis

Analysis

The similar fixed build failures show a common pattern where the maven/pombump step fails because there is no pom.xml file in the expected location. In both examples, the project was using a different build system than Maven (Ant for Cassandra, Bazel for Selenium). The fixes implemented had two main approaches:

1. Specifying a custom path to an existing pom.xml file elsewhere in the project structure
2. Creating a custom pom.xml file or patch for dependency management

The current failure with SonarQube is similar - the build system is using Gradle (not Maven), so it doesn't have a pom.xml in the root directory. However, the pipeline still includes the maven/pombump step which is causing the failure.

Click to expand fix explanation

Explanation

The build failure is occurring because the maven/pombump step is looking for a Maven pom.xml file, but SonarQube uses Gradle as its build system, not Maven. This is evidenced by the presence of ./gradlew build command in the build step and the absence of Maven-related commands.

Unlike the Cassandra example where they specified a custom path to a pom.xml file, SonarQube doesn't appear to have a pom.xml file that could be used for the pombump step. Since the build is already managing dependencies through Gradle (with ./gradlew build), the Maven pombump step is unnecessary and can be safely removed.

The build process is already correctly using Gradle for dependency management and compilation. After removing the pombump step, the build should proceed normally using the Gradle system without attempting to parse a non-existent pom.xml file.

Click to expand alternative approaches

Alternative Approaches

• If dependency management is a concern, we could create a simple pom.xml template file and specify its path in the pombump step, similar to the Cassandra fix. This would allow us to keep the pombump functionality but point it to a valid file.
• If there's a need to modify specific dependencies, we could add a patch to modify the build.gradle files directly instead of using pombump, similar to how the Selenium fix uses a patch to update Netty dependencies.

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[kbsteere]

Advisory for remaining CVEs: wolfi-dev/advisories#21059

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-gfrm-rq8w-hqr3 has the latest event type of "pending-upstream-fix": https://github.com/wolfi-dev/advisories/blob/main/sonarqube.advisories.yaml

ID:      CGA-gfrm-rq8w-hqr3
Package: sonarqube
Aliases: CVE-2025-48924 GHSA-j288-q9x7-2f5v
Events:
  - "scan/v1" at 2025-07-12 07:51:37 UTC
  - "pending-upstream-fix" at 2025-07-17 19:28:51 UTC