celeborn-0.6/0.6.1-r0: cve remediation

[octo-sts]

celeborn-0.6/0.6.1-r0: fix GHSA-3p8m-j85q-pgmj

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/celeborn-0.6.advisories.yaml

⚠️ Deferred 5 Vulnerabilities

The following vulnerabilities are being deferred to future PRs (to avoid merge conflicts):

• GHSA-j288-q9x7-2f5v (Medium) in [email protected]@[email protected]
• GHSA-qh8g-58pp-2wxh (Medium) in [email protected]@[email protected]
• GHSA-wf8f-6423-gfxg (Medium) in [email protected]@[email protected]
• GHSA-xwmg-2g98-w7v9 (Medium) in [email protected]@[email protected]
• GHSA-fghv-69vj-qj49 (Low) in [email protected]@[email protected]

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

📦 Build Failed: Missing Dependency

package io.netty.handler.codec does not exist

Build Details

Category	Details
Build System	Maven
Failure Point	scala-maven-plugin:4.9.2:compile (scala-compile-first) on project celeborn-common_2.13

Root Cause Analysis 🔍

The Netty codec dependency is missing from the Maven project dependencies. Multiple Java source files in the celeborn-common module are trying to import io.netty.handler.codec classes but the required Netty dependency is not available in the classpath, causing compilation failures across MessageEncoder.java, SslMessageEncoder.java, MessageDecoder.java, and TransportContext.java files.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• apache-pulsar/4.0.6-r0: cve remediation #63146

Suggested Changes

File: celeborn-0.6.yaml

• addition at line after line with 'uses: maven/pombump' (after maven/pombump step)
  Original:

  - uses: maven/pombump

Replacement:

  - uses: maven/pombump

  - uses: maven/pombump
    with:
      patch-file: pombump-netty.yaml

Content:

Add additional maven/pombump step for Netty dependencies

File: celeborn-0.6/pombump-netty.yaml

• creation at line 1-3 (new file)
  Original:

file does not exist

Replacement:

properties:
  - property: netty.version
    value: "4.1.124.Final"

Content:

Create new pombump configuration file for Netty dependencies

Click to expand fix analysis

Analysis

Based on the similar fixed build failure, I can see a clear pattern: when Netty dependencies are missing from the classpath during Maven compilation, the solution involves using the maven/pombump action to add or update Netty version properties in the project's POM files. In the fixed example, a new pombump-properties.yaml file was created to specify the netty.version property with value "4.1.124.Final", and an additional maven/pombump step was added to apply this property to the buildtools/pom.xml file. This pattern suggests that Celeborn likely has similar Netty version properties that need to be configured properly.

Click to expand fix explanation

Explanation

This fix addresses the root cause by ensuring that the Netty dependencies are properly configured in the Maven build. The celeborn-common module is failing to compile because it cannot find io.netty.handler.codec classes, which indicates that the Netty libraries are not available in the classpath. By adding a maven/pombump step with a netty.version property set to "4.1.124.Final" (the same version used in the similar fix), we ensure that the Maven build can resolve the Netty dependencies that the Java source files are trying to import. The pombump action will update the project's POM files to use the specified Netty version, making the io.netty.handler.codec and other Netty packages available during compilation. This approach follows the exact same pattern that successfully fixed the similar Apache Pulsar build failure.

Click to expand alternative approaches

Alternative Approaches

• Add Netty dependencies directly to the environment.contents.packages section in the YAML file, though this is less precise since it doesn't target the specific Maven dependency resolution
• Modify the Maven command in the Build step to include explicit dependency resolution flags, but this would be a workaround rather than fixing the underlying dependency configuration
• Use a different Netty version property value if the project specifically requires a different version, which would require examining the project's existing POM files to determine the expected version

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[catmsred]

Advisory PR: wolfi-dev/advisories#24367

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-v929-wm8j-8mwj has the latest event type of "pending-upstream-fix": https://github.com/wolfi-dev/advisories/blob/main/celeborn-0.6.advisories.yaml

ID:      CGA-v929-wm8j-8mwj
Package: celeborn-0.6
Aliases: CVE-2025-58057 GHSA-3p8m-j85q-pgmj
Events:
  - "scan/v1" at 2025-10-23 18:37:47 UTC
  - "pending-upstream-fix" at 2025-10-27 13:59:09 UTC