apache-pulsar/4.1.2-r3: cve remediation

[octo-sts]

apache-pulsar/4.1.2-r3: fix GHSA-vc5p-v9hr-52mj

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/apache-pulsar.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories: https://github.com/apache/pulsar@v4.1.2

[octo-sts]

🛑 Build Failed: Compilation

cannot find symbol: class LogManager location: package org.apache.logging.log4j

Build Details

Category	Details
Build System	Maven
Failure Point	maven-compiler-plugin:3.11.0:compile (default-compile) on project pulsar-proxy

Root Cause Analysis 🔍

The LogManager class from the org.apache.logging.log4j package cannot be found during compilation. This indicates that the log4j dependency is either missing from the classpath, incorrectly versioned, or the import statement in ProxyServiceStarter.java is incorrect. The compilation is failing because the Java compiler cannot resolve the LogManager symbol at line 42, column 32 of the ProxyServiceStarter.java file.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: Melange YAML pipeline

• modification at line Build step (Build step)
  Original:

runs: ./mvnw package -DskipTests

Replacement:

runs: |
      # First, let's check what log4j dependencies are available
      ./mvnw dependency:tree | grep -i log4j || true
      
      # Build with verbose output to see dependency resolution
      ./mvnw package -DskipTests -X

Content:

Add dependency debugging and verbose Maven output to diagnose the log4j classpath issue

File: Melange YAML environment

• addition at line environment packages section (environment.contents.packages)
  Original:

- openjdk-21-default-jdk

Replacement:

- openjdk-21-default-jdk
      - apache-maven-3

Content:

Add explicit Maven 3 package to ensure consistent Maven version

Click to expand fix analysis

Analysis

No similar fixed build failures were provided for analysis. However, the error indicates a missing log4j dependency during Maven compilation. This is a common Java build issue where the LogManager class from org.apache.logging.log4j package cannot be found on the classpath.

Click to expand fix explanation

Explanation

The LogManager class compilation error typically occurs when log4j dependencies are missing or incorrectly resolved in Maven. Since this is Apache Pulsar 4.1.2, it should have log4j dependencies defined in its pom.xml files. The issue is likely one of: 1) Maven dependency resolution failing in the Wolfi build environment, 2) Network connectivity issues preventing dependency downloads, or 3) Version conflicts between log4j dependencies. The suggested changes add debugging to see the actual dependency tree and ensure we're using a consistent Maven version. The verbose Maven output (-X flag) will show exactly where dependency resolution is failing, which will help identify if it's a missing repository, network issue, or dependency conflict.

Click to expand alternative approaches

Alternative Approaches

• Add explicit log4j dependencies to the Maven build command using -Dlog4j.version property
• Use Maven dependency:resolve goal before the package goal to pre-download dependencies
• Add Maven central repository configuration if the default repositories are not accessible
• Check if the Pulsar project's parent POM is properly resolved by adding dependency:resolve-sources goal

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.