kserve-modelmesh/0.12.0-r15: cve remediation

[octo-sts]

kserve-modelmesh/0.12.0-r15: fix GHSA-fghv-69vj-qj49

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/kserve-modelmesh.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

📦 Build Failed: Missing Dependency

package io.netty.handler.codec.http does not exist

Build Details

Category	Details
Build System	Maven
Failure Point	maven-compiler-plugin:3.8.1:compile (default-compile)

Root Cause Analysis 🔍

The Netty HTTP codec dependency is missing from the classpath. The Java source files are trying to import io.netty.handler.codec.http classes but the required Netty HTTP handler dependency is not available during compilation. This is likely due to a missing Maven dependency declaration for netty-codec-http in the pom.xml file.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• apache-pulsar/4.0.6-r0: cve remediation #63146
• kserve-modelmesh/0.12.0-r6: cve remediation #42316
• docker-selenium/4.31.0.20250404 package update #49356

Suggested Changes

File: kserve-modelmesh.yaml

• add (After the maven/pombump step)
  Original:

  - uses: maven/pombump

Replacement:

  - uses: maven/pombump

  - uses: maven/pombump
    with:
      patch-file: pombump-properties.yaml

Content:

Add a second maven/pombump step with properties patch

File: kserve-modelmesh/pombump-properties.yaml

• create (New file)
  Replacement:

properties:
  - property: netty-version
    value: 4.1.118.Final

Content:

Create properties file to update Netty version

Click to expand fix analysis

Analysis

The similar fixes show a consistent pattern of resolving Netty dependency issues by: 1) Updating Netty version properties in pombump-properties.yaml files to newer stable versions (4.1.118.Final, 4.1.124.Final), 2) Adding or modifying maven/pombump steps with property patch files to ensure correct Netty versions are used, and 3) In some cases, switching from netty-codec-http to netty-handler when codec-http is not available. All fixes involve updating the Netty version to a more recent stable release that includes the required HTTP codec components.

Click to expand fix explanation

Explanation

This fix addresses the missing io.netty.handler.codec.http package by ensuring the project uses a recent, stable version of Netty (4.1.118.Final) that includes the HTTP codec components. The pattern from similar fixes shows that Netty dependency issues are commonly resolved by updating to newer versions through Maven property overrides. The pombump-properties.yaml file will override the netty-version property in the project's POM, ensuring all Netty dependencies (including netty-codec-http) are resolved at the correct version. This approach maintains consistency with the existing build system while ensuring the HTTP codec classes are available during compilation.

Click to expand alternative approaches

Alternative Approaches

• Update the existing pombump-deps.yaml file to explicitly include io.netty:netty-codec-http dependency
• Switch to using netty-handler instead of netty-codec-http if the codec-http artifact is not available in the specified version
• Update to an even newer Netty version like 4.1.124.Final as used in the Apache Pulsar fix

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-488j-8qjf-x6jx has the latest event type of "fixed": https://github.com/wolfi-dev/advisories/blob/main/kserve-modelmesh.advisories.yaml

ID:      CGA-488j-8qjf-x6jx
Package: kserve-modelmesh
Aliases: CVE-2025-58056 GHSA-fghv-69vj-qj49
Events:
  - "scan/v1" at 2025-09-06 07:23:19 UTC
  - "fixed" at 2025-09-10 08:24:36 UTC