kserve-modelmesh/0.12.0-r5: cve remediation

[octo-sts]

kserve-modelmesh/0.12.0-r5: fix GHSA-pr98-23f8-jwxv

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/kserve-modelmesh.advisories.yaml

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: ```
[ERROR] Failed to execute goal on project model-mesh: Could not resolve dependencies for project com.ibm.watson:model-mesh:jar:0.4.2-SNAPSHOT
[ERROR] dependency: ch.qos.logback:logback-core:jar:1.15.13 (import)
[ERROR] Could not find artifact ch.qos.logback:logback-core:jar:1.15.13 in central (https://repo.maven.apache.org/maven2)

• Error Category: Dependency

• Failure Point: Maven dependency resolution during build

• Root Cause Analysis: The specified version of logback-core (1.15.13) does not exist in Maven Central. The latest stable version is 1.4.14.

• Suggested Fix:
1. Update or override the logback dependency version in the pipeline:
```yaml
  - uses: maven/pombump
    with:
      replacements:
        - search: '<logback.version>1.15.13</logback.version>'
          replace: '<logback.version>1.4.14</logback.version>'

• Explanation: The build is failing because it's trying to fetch a non-existent version of logback-core. The fix updates the dependency to the latest stable version available in Maven Central.

• Additional Notes:

• Logback versions follow semantic versioning (major.minor.patch)
• Version 1.15.13 appears to be invalid as the minor version 15 does not exist
• The latest stable version 1.4.14 includes security fixes and is recommended

• References:

• Maven Central Logback artifacts: https://repo.maven.apache.org/maven2/ch/qos/logback/logback-core/
• Logback releases: http://logback.qos.ch/download.html
• CVE-2023-6378 fixed in 1.4.14: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6378

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: Build appears to be hanging during the Maven dependency download phase, specifically at:
[INFO] Downloading from central: https://repo.maven.apache.org/maven2/io/grpc/grpc-netty/1.60.2/grpc-netty-1.60.2.pom

• Error Category: Dependency/Network

• Failure Point: Maven dependency resolution for io.grpc:grpc-netty:1.60.2

• Root Cause Analysis:
The build appears to be timing out or hanging while trying to download dependencies from Maven Central. This could be due to network connectivity issues, repository availability, or proxy configuration problems.

• Suggested Fix:

1. Add repository mirrors to the pom.xml:

<mirrors>
    <mirror>
        <id>google-maven-central</id>
        <name>Google Maven Central</name>
        <url>https://maven-central.storage-download.googleapis.com/repos/central/data/</url>
        <mirrorOf>central</mirrorOf>
    </mirror>
</mirrors>

2. Add a timeout configuration to the melange.yaml:

environment:
  contents:
    packages:
      - build-base
      - busybox
      - maven-3.9
      - openjdk-17
  options:
    MAVEN_OPTS: "-Dmaven.wagon.http.timeout=60 -Dmaven.wagon.http.pool=false"

• Explanation:
Adding alternate Maven mirrors and timeout configurations can help resolve dependency download issues by:

1. Providing alternative download sources
2. Preventing hanging on slow connections
3. Ensuring proper timeout handling

• Additional Notes:

• The Google Maven mirror is often more reliable for CI environments
• Consider caching dependencies if builds are frequent
• Monitor Maven Central status if issues persist

• References:

• Maven Repository Mirroring: https://maven.apache.org/guides/mini/guide-mirror-settings.html
• Maven Timeout Configuration: https://maven.apache.org/settings.html#servers
• Similar Issue: Option to configure Inference request timeout kserve/modelmesh#134

[kbsteere]

Should just need to add

- groupId: ch.qos.logback
   artifactId: logback-classic
   version: 1.3.15
 - groupId: ch.qos.logback
   artifactId: logback-core
   version: 1.3.15
 - groupId: org.slf4j
   artifactId: slf4j-api
   version: 2.0.16

to the pombump-deps.yaml