Skip to content

docker-selenium/4.35.0.20250808-r2: cve remediation #65355

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 1 commit into from
Closed

docker-selenium/4.35.0.20250808-r2: cve remediation #65355

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Sep 5, 2025

docker-selenium/4.35.0.20250808-r2: fix GHSA-3p8m-j85q-pgmj

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/docker-selenium.advisories.yaml

"Breadcrumbs" for this automated service

@octo-sts octo-sts bot added P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. automated pr docker-selenium GHSA-3p8m-j85q-pgmj maven/pombump request-cve-remediation labels Sep 5, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Sep 5, 2025

📦 Build Failed: Missing Dependency

failed to parse the pom file: open pom.xml: no such file or directory

Build Details

Category Details
Build System melange/maven
Failure Point maven/pombump step - pombump pom.xml command

Root Cause Analysis 🔍

The pombump tool is trying to process a Maven pom.xml file that doesn't exist in the project root directory. This is a docker-selenium project which may not be a Maven-based Java project, or the pom.xml file may be located in a different directory than expected by the build pipeline.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: docker-selenium.yaml

  • removal at line 67 (pipeline section)
    Original:
  - uses: maven/pombump

Content:

Remove the maven/pombump step completely as docker-selenium uses Bazel, not Maven
Click to expand fix analysis

Analysis

Based on the similar fixed build failure, the pattern is clear: the docker-selenium project uses Bazel as its build system, not Maven. The fix involved removing the maven/pombump step entirely since there is no pom.xml file in the docker-selenium repository. The project uses Bazel for dependency management and builds, making Maven-specific steps incompatible.

Click to expand fix explanation

Explanation

The docker-selenium project uses Bazel as its build system, not Maven. This is evident from the similar fix where the selenium project had the same issue - it was trying to use maven/pombump on a project that doesn't have a pom.xml file because it uses Bazel instead of Maven. The maven/pombump step is designed to update Maven pom.xml files, but since docker-selenium doesn't use Maven for its build system, this step is unnecessary and causes the build to fail when it tries to find a non-existent pom.xml file. Removing this step will allow the build to proceed with the correct Bazel-based build process.

Click to expand alternative approaches

Alternative Approaches

  • Check if the project has switched to Maven in newer versions and add pom.xml generation if needed
  • Use a conditional check to only run maven/pombump if pom.xml exists
  • Replace maven/pombump with a Bazel-specific dependency update mechanism if available

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Sep 5, 2025
@dnegreira dnegreira self-assigned this Sep 10, 2025
@dnegreira
Copy link
Member

dnegreira commented Sep 10, 2025

Fixed via #65416

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Sep 10, 2025

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-343x-pv45-x36w has the latest event type of "fixed": https://github.com/wolfi-dev/advisories/blob/main/docker-selenium.advisories.yaml

ID:      CGA-343x-pv45-x36w
Package: docker-selenium
Aliases: CVE-2025-58057 GHSA-3p8m-j85q-pgmj
Events:
  - "scan/v1" at 2025-09-04 07:31:43 UTC
  - "fixed" at 2025-09-10 10:04:01 UTC

@octo-sts octo-sts bot closed this Sep 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@dnegreira dnegreira

Labels

ai/skip-comment Stop AI from commenting on PR automated pr docker-selenium GHSA-3p8m-j85q-pgmj maven/pombump P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. request-cve-remediation service:cve-pr-closer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dnegreira