Skip to content

ROB-631: krr-enforcer CVE fixes (starlette + urllib3 + openssl)#540

Open
Avi-Robusta wants to merge 2 commits into
mainfrom
avi/enforcer-0.3.8-cve
Open

ROB-631: krr-enforcer CVE fixes (starlette + urllib3 + openssl)#540
Avi-Robusta wants to merge 2 commits into
mainfrom
avi/enforcer-0.3.8-cve

Conversation

@Avi-Robusta

Copy link
Copy Markdown
Contributor

Sub-issue ROB-631 of ROB-595. Fixes the CVEs flagged for devel/krr-enforcer in the 2026-07-14 Vanta scan.

Problem

The 0.3.8 enforcer/requirements.txt appeared to resolve these but did not:

  • urllib3==2.6.3 is still vulnerable (CVE-2026-44431/44432).
  • fastapi==0.121.3 caps starlette<0.51.0, so the starlette CVEs could never be pulled in.

Fix

Package From To CVE
urllib3 2.6.3 2.7.0 CVE-2026-44431, CVE-2026-44432
fastapi 0.121.3 0.139.0 (drops the starlette<0.51 cap)
starlette (capped 0.50) 1.3.1 CVE-2026-48818, 54283, 48710, 48817, 54282
pydantic 2.6.1 2.13.4 required by fastapi 0.139.0

Base image already rebuilt on Alpine 3.24 (openssl/libcrypto3 patched) in the prior 0.3.8 commit.

Validation

  • docker scout cves on the rebuilt devel/krr-enforcer:0.3.8: no vulnerable packages detected.
  • Deployed to avi-test-cluster2 (monitoring/krr-enforcer-krr-enforcer) — pod healthy, connected to the Robusta platform (stg), webhook server up, owners loaded.
  • App imports verified with the upgraded fastapi/starlette/pydantic stack.

🤖 Generated with Claude Code

Avi-Robusta and others added 2 commits July 14, 2026 10:43
Rebuild to clear stale Vanta findings: the openssl/libcrypto3 (9 HIGH/CRIT)
and cryptography advisories were fixed in code but Vanta was scanning the old
0.3.7 SHA. Fresh multi-arch 0.3.8 build pushed with a current base image.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The 0.3.8 requirements pinned urllib3==2.6.3 (still vulnerable) and fastapi==0.121.3
which caps starlette <0.51 (leaving the starlette CVEs unfixable). Bump so the CVEs
actually resolve:

- urllib3 2.6.3 -> 2.7.0 (CVE-2026-44431, CVE-2026-44432)
- fastapi 0.121.3 -> 0.139.0 (allows starlette >=0.46, drops the <0.51 cap)
- add starlette>=1.0.0 (CVE-2026-48818, 54283, 48710, 48817, 54282; fix only in 1.x)
- pydantic 2.6.1 -> 2.13.4 (required by fastapi 0.139.0)

docker scout now reports no vulnerable packages in the enforcer image.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

The enforcer dependency pins were updated, and the Helm chart version, application version, and container image tag were aligned to 0.3.8.

Changes

Enforcer release updates

Layer / File(s) Summary
Enforcer dependency updates
enforcer/requirements.txt
fastapi, pydantic, and urllib3 were updated to newer versions; other listed requirements remained unchanged.
Helm release alignment
helm/krr-enforcer/Chart.yaml, helm/krr-enforcer/values.yaml
Chart metadata and the container image tag were updated to 0.3.8.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Possibly related PRs

Suggested reviewers: moshemorad, naomi-robusta, sheeproid

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the main theme of CVE-related dependency fixes in krr-enforcer, though it mentions openssl/starlette more than the changed files show.
Description check ✅ Passed The description is directly about the krr-enforcer CVE dependency updates and validation performed for this PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch avi/enforcer-0.3.8-cve

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@enforcer/requirements.txt`:
- Line 4: Update the Starlette dependency declaration in
enforcer/requirements.txt from the open-ended minimum version to an exact pin at
1.3.1.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d8c885eb-3b8c-49ca-a8ec-48258f26a31b

📥 Commits

Reviewing files that changed from the base of the PR and between c4f5c80 and cc13e1b.

📒 Files selected for processing (3)
  • enforcer/requirements.txt
  • helm/krr-enforcer/Chart.yaml
  • helm/krr-enforcer/values.yaml

Comment thread enforcer/requirements.txt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant