selenium/4.35.0-r0: cve remediation

[octo-sts]

selenium/4.35.0-r0: fix GHSA-3p8m-j85q-pgmj

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/selenium.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

📦 Build Failed: Missing Dependency

failed to parse the pom file: open pom.xml: no such file or directory

Build Details

Category	Details
Build System	melange/maven
Failure Point	maven/pombump step - attempting to process pom.xml file

Root Cause Analysis 🔍

The build process expects a pom.xml file in the root directory after git checkout, but the file is missing. This suggests either the git checkout didn't complete properly, the pom.xml file is located in a different directory structure, or the selenium project structure has changed. The pombump tool (used for Maven dependency management in Wolfi builds) cannot proceed without the Maven project file.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• selenium/4.28.0-r0: cve remediation #42311

Suggested Changes

File: selenium.yaml

• removal at line 33 (pipeline section)
  Original:

  - uses: maven/pombump

Content:

Remove the maven/pombump step entirely as Selenium uses Bazel, not Maven

Click to expand fix analysis

Analysis

The similar fix shows that the build failure occurs because the Selenium project uses Bazel as its build system, not Maven. The maven/pombump step tries to process a pom.xml file that doesn't exist in the Selenium repository. The fix removed the problematic maven/pombump step entirely and added dependency bumping through Bazel-specific patches instead. The pattern shows that the build system was incorrectly assuming Maven when the project actually uses Bazel for dependency management.

Click to expand fix explanation

Explanation

The build failure occurs because the pipeline includes a maven/pombump step that expects to find a pom.xml file in the root directory, but Selenium uses Bazel as its build system, not Maven. The maven/pombump step is completely unnecessary for Bazel-based projects and should be removed. The similar fix demonstrates this exact solution - removing the maven/pombump step resolves the "no such file or directory" error for pom.xml. Selenium manages its dependencies through Bazel's MODULE.bazel and maven_install.json files, not through Maven's pom.xml. Any dependency updates for Selenium should be handled through Bazel-specific mechanisms like patches to MODULE.bazel or regenerating the maven_install.json file.

Click to expand alternative approaches

Alternative Approaches

• Create a conditional check to only run maven/pombump if pom.xml exists, though this would be unnecessary overhead
• Add a patch to create a dummy pom.xml file, but this would be misleading and serve no purpose
• Use Bazel-specific dependency update mechanisms like REPIN=1 bazel run @maven//:pin for actual dependency management

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[dnegreira]

needs advisory wolfi-dev/advisories#23419