docker-selenium/4.35.0.20250808-r2: cve remediation

[octo-sts]

docker-selenium/4.35.0.20250808-r2: fix GHSA-fghv-69vj-qj49

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/docker-selenium.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

📦 Build Failed: Missing Dependency

failed to parse the pom file: open pom.xml: no such file or directory

Build Details

Category	Details
Build System	melange/maven
Failure Point	maven/pombump step - pombump pom.xml command

Root Cause Analysis 🔍

The maven/pombump pipeline step is trying to process a pom.xml file that doesn't exist in the docker-selenium repository. The docker-selenium project appears to not be a Maven-based Java project, but the melange build configuration is incorrectly attempting to run Maven-specific operations on it. This is a configuration mismatch between the build pipeline and the actual project structure.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• selenium/4.28.0-r0: cve remediation #42311

Suggested Changes

File: docker-selenium.yaml

• removal at line 50 (pipeline section)
  Original:

  - uses: maven/pombump

Content:

Remove the maven/pombump step since docker-selenium uses Bazel, not Maven

Click to expand fix analysis

Analysis

The similar fix shows that the docker-selenium project uses Bazel as its build system, not Maven. The fix involved removing the maven/pombump step entirely and adding a patch to update Netty dependencies in the Bazel configuration files (MODULE.bazel and maven_install.json). The pattern indicates that docker-selenium doesn't have a pom.xml file because it's not a Maven project - it uses Bazel for builds and dependency management.

Click to expand fix explanation

Explanation

The fix should work because docker-selenium is not a Maven-based project - it uses Bazel as its build system. The maven/pombump step is attempting to process a pom.xml file that doesn't exist in the repository. By removing this step, the build will no longer fail trying to find the non-existent pom.xml file. The docker-selenium project manages its dependencies through Bazel's MODULE.bazel file and maven_install.json, not through Maven's pom.xml. This is confirmed by the similar fix which showed that Selenium (the parent project) also uses Bazel and required patches to MODULE.bazel rather than Maven configuration.

Click to expand alternative approaches

Alternative Approaches

• Add a conditional check before maven/pombump to only run if pom.xml exists
• Replace maven/pombump with a Bazel-specific dependency update mechanism if needed
• Use a different pipeline step that's appropriate for Bazel-based projects

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[dnegreira]

Fixed via #65416

[efbar]

closing this since the above PR #65448 (comment) has been merged