selenium/4.35.0-r0: cve remediation

[octo-sts]

selenium/4.35.0-r0: fix GHSA-fghv-69vj-qj49

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/selenium.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

📦 Build Failed: Missing Dependency

failed to parse the pom file: open pom.xml: no such file or directory

Build Details

Category	Details
Build System	Maven/Melange
Failure Point	maven/pombump step - pombump pom.xml command

Root Cause Analysis 🔍

The pombump tool is trying to process a pom.xml file that doesn't exist in the current directory (/home/build). This suggests either the git checkout didn't place the files in the expected location, or the selenium project structure doesn't have a pom.xml file in the root directory. The build pipeline expects a Maven project structure but the checked out code may have a different build system or directory layout.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• selenium/4.28.0-r0: cve remediation #42311
• cassandra-5.0/5.0.3-r0: cve remediation #42330

Suggested Changes

File: selenium.yaml

• removal at line 43 (pipeline section, after git-checkout)
  Original:

  - uses: maven/pombump

Content:

Remove the maven/pombump step since Selenium uses Bazel, not Maven

Click to expand fix analysis

Analysis

The similar fixes show a clear pattern: both Selenium and Cassandra projects don't use Maven as their primary build system, so the maven/pombump step fails because there's no pom.xml file in the root directory. Selenium uses Bazel, while Cassandra uses Ant. The fixes involved either: 1) Removing the maven/pombump step entirely (for Selenium), or 2) Pointing pombump to a specific POM file location and providing patch dependencies (for Cassandra). Both cases required understanding the actual build system being used and adapting the pipeline accordingly.

Click to expand fix explanation

Explanation

The suggested fix removes the maven/pombump step entirely because Selenium uses Bazel as its build system, not Maven. This is evident from the build commands in the pipeline that use bazel build commands. The maven/pombump step is trying to parse a pom.xml file that doesn't exist in the Selenium repository root. Since Selenium manages its dependencies through Bazel's MODULE.bazel file rather than Maven's pom.xml, the pombump step is unnecessary and causes the build to fail. The first fix example shows this exact scenario where the maven/pombump step was removed for Selenium because it uses Bazel.

Click to expand alternative approaches

Alternative Approaches

• If dependency updates are still needed, they could be handled through Bazel's MODULE.bazel file or workspace dependencies, similar to how the first fix example included a patch to bump Netty versions in MODULE.bazel
• Another approach would be to create a custom pipeline step that handles Bazel dependency updates specifically, but this would be more complex than simply removing the incompatible Maven step

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[dnegreira]

Needs advisory wolfi-dev/advisories#23419