wildfly/35.0.1-r14: cve remediation

[octo-sts]

wildfly/35.0.1-r14: fix GHSA-5565-3c98-g6jc

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/wildfly.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

⚠️ EXPERIMENTAL

Please use 👍 or 👎 on this comment to indicate if you agree or disagree with the recommendation.

To provide more detailed feedback please comment on the recommendation prefixed with /ai-verify:

e.g. /ai-verify partially helpful but I also added bash to the build environment

Gen AI suggestions to solve the build error:

• Detected Error:

[ERROR] /home/build/elytron-oidc-client/src/main/java/org/wildfly/extension/elytron/oidc/ProviderAttributeDefinitions.java:[8,29] package org.jose4j.jws does not exist

• Error Category: Dependency

• Failure Point: Maven compilation of wildfly-elytron-oidc-client-subsystem module

• Root Cause Analysis: The build is failing because the jose4j dependency is missing or not properly declared in the Maven build configuration for the OIDC client subsystem.

• Suggested Fix:
Add the jose4j dependency to the pipeline environment section:

environment:
  contents:
    packages:
      - build-base
      - busybox
      - ca-certificates-bundle
      - maven
      - openjdk-17
      - openjdk-21
      - jose4j

Or alternatively, ensure the jose4j dependency is properly declared in the relevant pom.xml:

<dependency>
    <groupId>org.bitbucket.b_c</groupId>
    <artifactId>jose4j</artifactId>
    <version>0.9.6</version>
</dependency>

• Explanation: The compilation error indicates that the jose4j library, which provides JSON Object Signing and Encryption (JOSE) functionality, is not available during compilation. Adding the dependency will make the required classes available to the compiler.

• Additional Notes:

• The error occurs specifically in the OIDC client subsystem which requires jose4j for JWT handling
• The version 0.9.6 is referenced in the build logs as being downloaded but may not be properly included in the module's classpath
• This is a common issue when dependencies are declared at the wrong level in multi-module Maven projects

• References:

• jose4j Documentation: https://bitbucket.org/b_c/jose4j/wiki/Home
• WildFly Elytron OIDC Client Documentation: https://docs.wildfly.org/26/WildFly_Elytron_Security.html#Elytron_OIDC_Client