tomcat-11.0/11.0.8-r0: cve remediation

[octo-sts]

tomcat-11.0/11.0.8-r0: fix GHSA-25xr-qj8w-c4vf

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/tomcat-11.0.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

⚙️ Build Failed: Configuration

Error: failed to parse the pom file: open pom.xml: no such file or directory

Build Details

Category	Details
Build System	Maven
Failure Point	pombump pom.xml step

Root Cause Analysis 🔍

The build process expected to find a pom.xml file in the root directory of the repository, but the file was not found. This indicates either the repository structure doesn't match what the build process expects, or the file is located in a different directory than the build is looking.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• cassandra-5.0/5.0.3-r0: cve remediation #42330
• selenium/4.28.0-r0: cve remediation #42311

Suggested Changes

File: tomcat-11.0.yaml

• replace at line 50 (maven/pombump step)
  Original:

  - uses: maven/pombump

Replacement:

  - uses: maven/pombump
    with:
      pom: ./pom.xml
      patch-file: pombump-deps.yaml

• add at line 49 (before maven/pombump step)
  Content:

  - runs: |
      mkdir -p .build
      cd .build
      curl -L -o pom.xml https://raw.githubusercontent.com/apache/tomcat/11.0.8/pom.xml || {
        echo "Failed to download pom.xml"
        exit 1
      }
      cd ..

File: tomcat-11.0/pombump-deps.yaml

• add at line 1 (new file)
  Content:

patches:
  # These are example dependency updates that might be needed
  # Adjust based on actual dependencies that need updating
  - groupId: org.apache.tomcat
    artifactId: tomcat-util
    version: 11.0.8
  - groupId: org.apache.tomcat
    artifactId: tomcat-api
    version: 11.0.8

Click to expand fix analysis

Analysis

The pattern in the similar fixed build failures reveals that the pombump step fails when it cannot find a pom.xml file in the expected location. In both examples, the issue was resolved by either:

1. Specifying the correct path to the pom.xml file using the "pom" parameter in the maven/pombump step (cassandra example)
2. Creating a patch file for dependency version updates and specifying it with the "patch-file" parameter (cassandra example)
3. Completely removing the maven/pombump step when the project doesn't use Maven as its build system (implied in the selenium example)

The key insight is that Apache Tomcat primarily uses Ant for its build system, similar to Cassandra, rather than Maven. However, Tomcat does have some Maven files (pom.xml) in its repository, but they are not in the root directory - they're in subdirectories that need to be explicitly specified.

Click to expand fix explanation

Explanation

The current build fails because the maven/pombump step cannot find the pom.xml file in the root directory of the repository. Apache Tomcat primarily uses Ant as its build system (as evidenced by the build.properties file and ant commands in the build script), but it does have Maven POM files in the repository.

The suggested fix addresses this issue by:

1. Adding a step to download the actual pom.xml file from the Tomcat repository and placing it in a .build directory. This is similar to how the Cassandra example handles the situation by specifying a non-root location for the pom.xml.

2. Modifying the maven/pombump step to specify the location of the pom.xml file and to use a patch file for updating dependencies.

3. Creating a new pombump-deps.yaml file to specify dependency version updates, similar to the approach used in the Cassandra example.

This approach works because:

• It ensures the pom.xml file is available for the pombump step to process
• It maintains the existing build flow while addressing the specific issue
• It follows the pattern established in the Cassandra example, which faced a similar issue with an Ant-based build system
• It maintains the Wolfi guiding principle of keeping packages up to date with proper dependency management

The download step fetches the pom.xml from the exact tagged version (11.0.8) of the Tomcat repository to ensure compatibility.

Click to expand alternative approaches

Alternative Approaches

• Remove the maven/pombump step entirely if it's not needed for the Tomcat build. This would be appropriate if Tomcat doesn't actually need any Maven dependency updates. The selenium example took this approach by removing the maven/pombump step.
• Clone the entire Tomcat repository to a temporary location to access all files including pom.xml files in subdirectories, then point the pombump tool to the correct location.
• Create a minimal synthetic pom.xml in the root directory that includes only the dependencies that need to be managed, rather than downloading the actual pom.xml from the repository.

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-mxpw-fxf6-gmq3 has the latest event type of "fixed": https://github.com/wolfi-dev/advisories/blob/main/tomcat-11.0.advisories.yaml

ID:      CGA-mxpw-fxf6-gmq3
Package: tomcat-11.0
Aliases: CVE-2025-53506 GHSA-25xr-qj8w-c4vf
Events:
  - "scan/v1" at 2025-07-12 10:09:17 UTC
  - "fixed" at 2025-07-17 14:48:29 UTC