sonarqube-10/25.5.0.107428-r0: cve remediation

[octo-sts]

sonarqube-10/25.5.0.107428-r0: fix GHSA-vrpq-qp53-qv56

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/sonarqube-10.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

⚙️ Build Failed: Configuration

Error: failed to parse the pom file: open pom.xml: no such file or directory

Build Details

Category	Details
Build System	Maven
Failure Point	maven/pombump step

Root Cause Analysis 🔍

The build process was attempting to perform a Maven POM file operation using the 'pombump' tool, but the expected pom.xml file is missing at the expected location. This occurred after successfully checking out the SonarQube repository at tag 25.5.0.107428.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: package.yaml

• removal at line pipeline step (After git-checkout step and before build step)
  Original:

  - uses: maven/pombump

Click to expand fix analysis

Analysis

This build failure involves a failed attempt to parse a pom.xml file that doesn't exist at the expected location. The error occurs after successfully checking out the SonarQube repository at tag 25.5.0.107428. The build system is trying to run the maven/pombump step, but there's no pom.xml file in the expected location. Looking at the repository structure, SonarQube has migrated from Maven to Gradle build system, which explains why the pom.xml file is missing. The build configuration is trying to use a Maven-specific step on a Gradle project.

Click to expand fix explanation

Explanation

The build failure is occurring because the Melange configuration includes a Maven-specific step (maven/pombump) but the SonarQube project at version 25.5.0.107428 uses Gradle as its build system, not Maven. The error message "failed to parse the pom file: open pom.xml: no such file or directory" clearly indicates that the build is looking for a pom.xml file that doesn't exist.

SonarQube has migrated from Maven to Gradle in recent versions, which is why the pom.xml file is not present. The Melange YAML already includes the correct Gradle build commands in the subsequent "build" step (./gradlew build), suggesting that the Maven step is unnecessary and was likely left in the configuration from an earlier version that did use Maven.

Removing the maven/pombump step will allow the build to proceed directly to the Gradle build command, which is the correct approach for this version of SonarQube. The rest of the build pipeline appears correctly configured for a Gradle-based project.

Click to expand alternative approaches

Alternative Approaches

• If version information from a pom.xml is needed for some reason, consider creating a custom step to extract version information directly from Gradle files (build.gradle or gradle.properties) instead.
• If the maven/pombump step is required for the Wolfi build infrastructure, consider adding a conditional check that skips this step when no pom.xml file is found.
• Check if an older branch or tag of SonarQube with Maven support exists and could be used instead, though this would go against the principle of keeping packages up to date.

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[jamie-albert]

#54484