docker-selenium/4.35.0.20250808-r1: cve remediation

[octo-sts]

docker-selenium/4.35.0.20250808-r1: fix GHSA-3p8m-j85q-pgmj

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/docker-selenium.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

📦 Build Failed: Missing Dependency

failed to parse the pom file: open pom.xml: no such file or directory

Build Details

Category	Details
Build System	melange/maven
Failure Point	maven/pombump step - pombump pom.xml command

Root Cause Analysis 🔍

The maven/pombump pipeline step is attempting to process a pom.xml file that doesn't exist in the docker-selenium repository. This suggests the pipeline configuration assumes a Maven-based Java project, but docker-selenium may not use Maven as its build system or the pom.xml file may be located in a different directory structure.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• selenium/4.28.0-r0: cve remediation #42311

Suggested Changes

File: docker-selenium.yaml

• removal at line line after git-checkout step (pipeline section)
  Original:

  - uses: maven/pombump

Content:

Remove the maven/pombump pipeline step entirely since docker-selenium uses Bazel, not Maven

Click to expand fix analysis

Analysis

The similar fix shows that the docker-selenium repository uses Bazel as its build system, not Maven. The error occurs because the maven/pombump pipeline step is trying to process a pom.xml file that doesn't exist in a Bazel-based project. The fix involves removing the maven/pombump step entirely and potentially adding patches for dependency management if needed. In the selenium.yaml fix, the maven/pombump step was removed and a patch was added to update Netty dependencies directly in the Bazel MODULE.bazel file.

Click to expand fix explanation

Explanation

The fix should work because docker-selenium is a Bazel-based project, not a Maven project, so it doesn't have a pom.xml file. The maven/pombump step is attempting to bump Maven dependency versions in a non-existent pom.xml file. By removing this step, the build will proceed without trying to process Maven dependencies. The docker-selenium project manages its dependencies through Bazel's MODULE.bazel file and maven_install.json, not through Maven's pom.xml. This is confirmed by the similar fix in selenium.yaml where the same maven/pombump step was causing the identical error and was resolved by removal and handling dependencies through Bazel-specific mechanisms.

Click to expand alternative approaches

Alternative Approaches

• Create a conditional maven/pombump step that only runs if pom.xml exists, though this adds unnecessary complexity
• Add a patch to create a dummy pom.xml file, but this would be misleading since the project doesn't actually use Maven
• Replace maven/pombump with a custom script that handles Bazel dependency updates, though this is overkill for the current issue

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[dnegreira]

Fixed via #65416

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-343x-pv45-x36w has the latest event type of "fixed": https://github.com/wolfi-dev/advisories/blob/main/docker-selenium.advisories.yaml

ID:      CGA-343x-pv45-x36w
Package: docker-selenium
Aliases: CVE-2025-58057 GHSA-3p8m-j85q-pgmj
Events:
  - "scan/v1" at 2025-09-04 07:31:43 UTC
  - "fixed" at 2025-09-10 10:04:01 UTC