ROB-631: krr-enforcer CVE fixes (starlette + urllib3 + openssl)#540
Open
Avi-Robusta wants to merge 2 commits into
Open
ROB-631: krr-enforcer CVE fixes (starlette + urllib3 + openssl)#540Avi-Robusta wants to merge 2 commits into
Avi-Robusta wants to merge 2 commits into
Conversation
Rebuild to clear stale Vanta findings: the openssl/libcrypto3 (9 HIGH/CRIT) and cryptography advisories were fixed in code but Vanta was scanning the old 0.3.7 SHA. Fresh multi-arch 0.3.8 build pushed with a current base image. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The 0.3.8 requirements pinned urllib3==2.6.3 (still vulnerable) and fastapi==0.121.3 which caps starlette <0.51 (leaving the starlette CVEs unfixable). Bump so the CVEs actually resolve: - urllib3 2.6.3 -> 2.7.0 (CVE-2026-44431, CVE-2026-44432) - fastapi 0.121.3 -> 0.139.0 (allows starlette >=0.46, drops the <0.51 cap) - add starlette>=1.0.0 (CVE-2026-48818, 54283, 48710, 48817, 54282; fix only in 1.x) - pydantic 2.6.1 -> 2.13.4 (required by fastapi 0.139.0) docker scout now reports no vulnerable packages in the enforcer image. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
WalkthroughThe enforcer dependency pins were updated, and the Helm chart version, application version, and container image tag were aligned to ChangesEnforcer release updates
Estimated code review effort: 1 (Trivial) | ~5 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@enforcer/requirements.txt`:
- Line 4: Update the Starlette dependency declaration in
enforcer/requirements.txt from the open-ended minimum version to an exact pin at
1.3.1.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: d8c885eb-3b8c-49ca-a8ec-48258f26a31b
📒 Files selected for processing (3)
enforcer/requirements.txthelm/krr-enforcer/Chart.yamlhelm/krr-enforcer/values.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Sub-issue ROB-631 of ROB-595. Fixes the CVEs flagged for
devel/krr-enforcerin the 2026-07-14 Vanta scan.Problem
The 0.3.8
enforcer/requirements.txtappeared to resolve these but did not:urllib3==2.6.3is still vulnerable (CVE-2026-44431/44432).fastapi==0.121.3capsstarlette<0.51.0, so the starlette CVEs could never be pulled in.Fix
starlette<0.51cap)Base image already rebuilt on Alpine 3.24 (openssl/libcrypto3 patched) in the prior 0.3.8 commit.
Validation
docker scout cveson the rebuiltdevel/krr-enforcer:0.3.8: no vulnerable packages detected.avi-test-cluster2(monitoring/krr-enforcer-krr-enforcer) — pod healthy, connected to the Robusta platform (stg), webhook server up, owners loaded.🤖 Generated with Claude Code