Skip to content

docker-selenium/4.34.0.20250727-r1: cve remediation #63147

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 3 commits into from
Closed

docker-selenium/4.34.0.20250727-r1: cve remediation #63147

octo-sts wants to merge 3 commits into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Aug 14, 2025

docker-selenium/4.34.0.20250727-r1: fix GHSA-prj3-ccx8-p6x4

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/docker-selenium.advisories.yaml

"Breadcrumbs" for this automated service

@octo-sts octo-sts bot added P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. automated pr docker-selenium GHSA-prj3-ccx8-p6x4 maven/pombump request-cve-remediation labels Aug 14, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Aug 14, 2025

📦 Build Failed: Missing Dependency

failed to parse the pom file: open pom.xml: no such file or directory

Build Details

Category Details
Build System melange/maven
Failure Point maven/pombump step - attempting to parse pom.xml file

Root Cause Analysis 🔍

The pombump tool is trying to process a Maven pom.xml file that does not exist in the current directory. The docker-selenium project was checked out from git, but the build pipeline expects to find a pom.xml file at the root level for Maven dependency management. This suggests either the project structure has changed, the checkout didn't include the expected files, or the pipeline configuration is incorrect for this particular project type.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: docker-selenium.yaml

  • remove at line 48 (pipeline section)
    Original:
  - uses: maven/pombump

Content:

Remove the maven/pombump step since docker-selenium uses Bazel, not Maven
Click to expand fix analysis

Analysis

The similar fix shows that the docker-selenium project uses Bazel as its build system, not Maven. The error occurs because the maven/pombump step is trying to process a non-existent pom.xml file. The fix in the past involved removing the maven/pombump step entirely and instead applying patches to handle dependency updates manually, specifically updating Netty versions in the Bazel configuration files (MODULE.bazel and maven_install.json).

Click to expand fix explanation

Explanation

The docker-selenium project uses Bazel as its build system, not Maven, so there is no pom.xml file to process. The maven/pombump step is attempting to parse a Maven configuration file that doesn't exist in this repository. By removing this step, the build will proceed without trying to process non-existent Maven files. If dependency version updates are needed, they should be handled through Bazel configuration files (MODULE.bazel) and potentially through patches, as demonstrated in the similar fix where Netty versions were updated manually.

Click to expand alternative approaches

Alternative Approaches

  • Create a conditional check to only run maven/pombump if pom.xml exists, though this adds unnecessary complexity
  • Replace maven/pombump with a custom script that handles Bazel dependency updates, but this would require significant additional development
  • Use patches to update specific dependencies in Bazel files when needed, following the pattern shown in the similar fix

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Aug 14, 2025
@jamie-albert jamie-albert self-assigned this Aug 15, 2025
@jamie-albert
docker-selenium: remove maven/pombump step - uses Dockerfiles not Maven
be51a98 
docker-selenium doesn't use Maven for builds - it's a collection of Docker
images and scripts that package selenium-server. The maven/pombump step was
causing build failures because there's no pom.xml file.

The netty-codec-http2 vulnerability (GHSA-prj3-ccx8-p6x4) comes from the
selenium-server dependency, which should be addressed in the selenium package.
@jamie-albert jamie-albert mentioned this pull request Aug 15, 2025
Merged
@jamie-albert
update netty version
57dc592 
Signed-off-by: jamie-albert <jamie.albert@chainguard.dev>
@octo-sts octo-sts bot added the bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. label Aug 15, 2025
@jamie-albert
Copy link
Member

jamie-albert commented Aug 15, 2025

wolfi-dev/advisories#22832

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Aug 15, 2025

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-r3xv-hphj-6vc6 has the latest event type of "pending-upstream-fix": https://github.com/wolfi-dev/advisories/blob/main/docker-selenium.advisories.yaml

ID:      CGA-r3xv-hphj-6vc6
Package: docker-selenium
Aliases: CVE-2025-55163 GHSA-prj3-ccx8-p6x4
Events:
  - "scan/v1" at 2025-08-14 11:49:39 UTC
  - "pending-upstream-fix" at 2025-08-15 01:25:00 UTC

@octo-sts octo-sts bot closed this Aug 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jamie-albert jamie-albert

Labels

ai/skip-comment Stop AI from commenting on PR automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. docker-selenium GHSA-prj3-ccx8-p6x4 manual/review-needed maven/pombump P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. request-cve-remediation service:cve-pr-closer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jamie-albert