apache-nifi/2.0.0-r1: cve remediation #34018

octo-sts · 2024-11-13T07:21:35Z

apache-nifi/2.0.0-r1: fix GHSA-xq3w-v528-46rv

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/apache-nifi.advisories.yaml

octo-sts · 2024-11-13T07:27:15Z

Gen AI suggestions to solve the build error:

Based on the build error, here's what's happening and how to fix it:

The main error is a dependency resolution issue:

Could not find artifact io.netty:netty-common:jar:4.1.115 in central

The pombump step attempted to update netty-common to version 4.1.115, but this version doesn't exist in Maven Central. This is likely because pombump is trying to update to a version that hasn't been released yet.

Here are the steps to fix this:

Modify the pombump behavior by adding an explicit version constraint for netty-common. Add this to your melange YAML:

  - uses: maven/pombump
    with:
      version-constraints:
        - "io.netty:netty-common:<4.1.100"  # Use a version that exists

Alternatively, you could pin the specific version that's known to work with Apache NiFi 2.0.0:

  - uses: maven/pombump
    with:
      version-constraints:
        - "io.netty:netty-common:4.1.94.Final"  # Or whatever version is compatible

If you want to debug locally, you can use:

melange build --interactive apache-nifi.yaml

Then inside the debug shell:

./mvnw dependency:tree | grep netty-common  # To see what version is being used

The key problem is that pombump is trying to use a version of netty-common that doesn't exist. By constraining the version to one that does exist and is compatible with NiFi 2.0.0, the build should succeed.

Signed-off-by: Joshua Powers <joshua.powers@chainguard.dev>

github-actions · 2024-11-15T21:54:15Z

Package apache-nifi-compat: Click to expand/collapse

Package apache-nifi-compat:
Unchanged

Package apache-nifi: Click to expand/collapse

Package apache-nifi:
Modified: /usr/share/nifi/nifi-current/docs/html/administration-guide.html
Modified: /usr/share/nifi/nifi-current/docs/html/developer-guide.html
Modified: /usr/share/nifi/nifi-current/docs/html/expression-language-guide.html
Modified: /usr/share/nifi/nifi-current/docs/html/getting-started.html
Modified: /usr/share/nifi/nifi-current/docs/html/nifi-in-depth.html
Modified: /usr/share/nifi/nifi-current/docs/html/overview.html
Modified: /usr/share/nifi/nifi-current/docs/html/python-developer-guide.html
Modified: /usr/share/nifi/nifi-current/docs/html/record-path-guide.html
Modified: /usr/share/nifi/nifi-current/docs/html/toolkit-guide.html
Modified: /usr/share/nifi/nifi-current/docs/html/user-guide.html
Modified: /usr/share/nifi/nifi-current/docs/html/walkthroughs.html
Modified: /usr/share/nifi/nifi-current/lib/nifi-aws-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-azure-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-cdc-mysql-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-dbcp-service-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-distributed-cache-services-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-framework-kubernetes-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-framework-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-jms-processors-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-jolt-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-jslt-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-lookup-services-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-opentelemetry-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-record-serialization-services-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-record-sink-service-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-server-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-splunk-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-standard-nar-2.0.0.nar

Package apache-nifi-toolkit: Click to expand/collapse

Package apache-nifi-toolkit:
Unchanged

octo-sts · 2024-11-15T21:57:16Z

Gen AI suggestions to solve the build error:

Based on the build output, I don't see any actual errors - the build appears to have completed successfully. The output shows:

All packages were built successfully:

apache-nifi-2.0.0-r2.apk
apache-nifi-toolkit-2.0.0-r2.apk
apache-nifi-compat-2.0.0-r2.apk

There are some SLF4J warnings about "No SLF4J providers were found" but these are just informational messages, not errors.
There is one ANTLR warning about multiple alternatives in the RecordPathParser.g grammar file, but this is also just a warning and doesn't affect the build.

If you're seeing failures in the CI system, it may be worth checking:

The test phase results, which aren't shown in this output
Any post-build validation steps in your CI pipeline
Whether all required artifacts were generated correctly

Could you share what specific failure you're seeing in the CI system? That would help identify if there's an issue that's not apparent in the build output itself.

In terms of the current build configuration, everything looks correct:

Dependencies are properly specified
Build environment is set up correctly
Maven build completes successfully
Package generation works as expected

…a91d

github-actions · 2024-11-15T22:09:52Z

Package apache-nifi: Click to expand/collapse

Package apache-nifi:
Modified: /usr/share/nifi/nifi-current/docs/html/administration-guide.html
Modified: /usr/share/nifi/nifi-current/docs/html/developer-guide.html
Modified: /usr/share/nifi/nifi-current/docs/html/expression-language-guide.html
Modified: /usr/share/nifi/nifi-current/docs/html/getting-started.html
Modified: /usr/share/nifi/nifi-current/docs/html/nifi-in-depth.html
Modified: /usr/share/nifi/nifi-current/docs/html/overview.html
Modified: /usr/share/nifi/nifi-current/docs/html/python-developer-guide.html
Modified: /usr/share/nifi/nifi-current/docs/html/record-path-guide.html
Modified: /usr/share/nifi/nifi-current/docs/html/toolkit-guide.html
Modified: /usr/share/nifi/nifi-current/docs/html/user-guide.html
Modified: /usr/share/nifi/nifi-current/docs/html/walkthroughs.html
Modified: /usr/share/nifi/nifi-current/lib/nifi-asana-processors-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-aws-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-azure-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-cdc-mysql-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-cipher-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-distributed-cache-services-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-elasticsearch-restapi-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-email-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-enrich-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-framework-kubernetes-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-framework-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-gcp-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-jms-processors-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-jolt-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-jslt-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-network-processors-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-opentelemetry-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-poi-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-record-serialization-services-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-record-sink-service-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-server-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-slack-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-snmp-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-splunk-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-standard-nar-2.0.0.nar

Package apache-nifi-toolkit: Click to expand/collapse

Package apache-nifi-toolkit:
Unchanged

Package apache-nifi-compat: Click to expand/collapse

Package apache-nifi-compat:
Unchanged

powersj · 2024-11-15T22:16:19Z

Got the pombump figured out using a property file, but it seems it exists deeper down still? Unassigned myself for now.

Signed-off-by: Batuhan Apaydin <batuhan.apaydin@chainguard.dev>

github-actions · 2024-11-17T18:09:16Z

Package apache-nifi: Click to expand/collapse

Package apache-nifi:
Modified: /usr/share/nifi/nifi-current/docs/html/administration-guide.html
Modified: /usr/share/nifi/nifi-current/docs/html/developer-guide.html
Modified: /usr/share/nifi/nifi-current/docs/html/expression-language-guide.html
Modified: /usr/share/nifi/nifi-current/docs/html/getting-started.html
Modified: /usr/share/nifi/nifi-current/docs/html/nifi-in-depth.html
Modified: /usr/share/nifi/nifi-current/docs/html/overview.html
Modified: /usr/share/nifi/nifi-current/docs/html/python-developer-guide.html
Modified: /usr/share/nifi/nifi-current/docs/html/record-path-guide.html
Modified: /usr/share/nifi/nifi-current/docs/html/toolkit-guide.html
Modified: /usr/share/nifi/nifi-current/docs/html/user-guide.html
Modified: /usr/share/nifi/nifi-current/docs/html/walkthroughs.html
Modified: /usr/share/nifi/nifi-current/lib/nifi-asana-processors-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-aws-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-azure-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-azure-services-api-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-dbcp-service-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-distributed-cache-services-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-elasticsearch-restapi-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-email-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-enrich-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-framework-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-gcp-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-jms-processors-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-jolt-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-network-processors-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-opentelemetry-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-poi-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-record-serialization-services-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-record-sink-service-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-server-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-slack-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-snmp-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-splunk-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-standard-nar-2.0.0.nar
Modified: /usr/share/nifi/nifi-current/lib/nifi-standard-shared-nar-2.0.0.nar

Package apache-nifi-toolkit: Click to expand/collapse

Package apache-nifi-toolkit:
Unchanged

Package apache-nifi-compat: Click to expand/collapse

Package apache-nifi-compat:
Unchanged

powersj

Thanks for picking this up!

apache-nifi/2.0.0-r1: fix GHSA-xq3w-v528-46rv

3bb644b

octo-sts bot added automated pr GHSA-xq3w-v528-46rv maven/pombump request-cve-remediation apache-nifi/2.0.0-r1 labels Nov 13, 2024

fix: Resolve GHSA-xq3w-v528-46rv

6284f1f

Signed-off-by: Joshua Powers <joshua.powers@chainguard.dev>

powersj self-assigned this Nov 15, 2024

Merge branch 'main' into cve-apache-nifi-8d5830ee07153e3cf30be23b1113…

a6a156d

…a91d

octo-sts bot added the bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. label Nov 15, 2024

powersj removed their assignment Nov 15, 2024

octo-sts bot added the manual/review-needed label Nov 15, 2024

upgrade netty version to fix CVE

beda247

Signed-off-by: Batuhan Apaydin <batuhan.apaydin@chainguard.dev>

powersj approved these changes Nov 18, 2024

View reviewed changes

powersj merged commit da1c4d2 into main Nov 18, 2024
18 checks passed

powersj deleted the cve-apache-nifi-8d5830ee07153e3cf30be23b1113a91d branch November 18, 2024 14:40

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

apache-nifi/2.0.0-r1: cve remediation #34018

apache-nifi/2.0.0-r1: cve remediation #34018

octo-sts bot commented Nov 13, 2024

octo-sts bot commented Nov 13, 2024

github-actions bot commented Nov 15, 2024

octo-sts bot commented Nov 15, 2024

github-actions bot commented Nov 15, 2024

powersj commented Nov 15, 2024

github-actions bot commented Nov 17, 2024

powersj left a comment

apache-nifi/2.0.0-r1: cve remediation #34018

apache-nifi/2.0.0-r1: cve remediation #34018

Conversation

octo-sts bot commented Nov 13, 2024

octo-sts bot commented Nov 13, 2024

github-actions bot commented Nov 15, 2024

octo-sts bot commented Nov 15, 2024

github-actions bot commented Nov 15, 2024

powersj commented Nov 15, 2024

github-actions bot commented Nov 17, 2024

powersj left a comment

Choose a reason for hiding this comment