Patch cves

[moshemorad]

No description provided.

[coderabbitai]

Caution

Review failed

The head commit changed during the review from 288c3c9 to 240ec4f.

Walkthrough

This PR addresses CVE-2025-68121 by adding system package upgrade steps to both Dockerfiles, updates the prometrix dependency from 0.2.10 to 0.2.11 in both pyproject.toml and requirements.txt, and upgrades the pillow library from 10.3.0 to 12.1.1 in requirements.txt.

Changes

Cohort / File(s)	Summary
Docker Security Updates Dockerfile, enforcer/Dockerfile	Added CVE-2025-68121 patches with apt-get upgrade and apk upgrade commands respectively in package installation RUN blocks.
Dependency Version Updates pyproject.toml, requirements.txt	Bumped prometrix from 0.2.10 to 0.2.11; additionally bumped pillow from 10.3.0 to 12.1.1 in requirements.txt.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Upgrade prometrix & fonttools #508: Directly continues the prometrix dependency bump chain (0.2.10→0.2.11 in both pyproject.toml and requirements.txt).
• [ROB-1911] close cve in enforcer CVE-2025-6965 #464: Modifies enforcer/Dockerfile's package handling steps to address related CVE fixes with similar structure.
• [ROB-2920] CVE patches enforcer #494: Updates enforcer/Dockerfile's package upgrade logic for CVE-related security patching.

Suggested reviewers

• Avi-Robusta
• Sheeproid

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Patch cves' is vague and generic, using non-descriptive language that doesn't convey specific information about which CVEs are being patched or the scope of changes.	Provide a more specific title that identifies the key CVEs being addressed (e.g., 'Patch CVE-2025-68121 and CVE-2025-6965' or 'Update dependencies and patch security vulnerabilities').
Description check	❓ Inconclusive	No pull request description was provided by the author, making it impossible to evaluate whether it relates to the changeset.	Add a pull request description that explains the CVEs being patched, which files are affected, and the rationale for the dependency version updates.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ROB-3294-fix-vulnerabilities

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Dockerfile`:
- Around line 9-11: The Dockerfile comment incorrectly claims CVE-2025-68121 is
remediated by apt upgrades; fix by either (A) replacing or augmenting the
base/build stage to use a patched Go image (e.g., add a build stage using
golang:1.25.6-bookworm or later so the Go stdlib is updated before copying
artifacts into python:3.12-slim), or (B) remove the misleading CVE comment and
add an explicit check/confirmation that no Go runtime/toolchain is present in
the final image (verify absence of go binary and GOPATH artifacts) and update
the comment to state this is a false positive; update the RUN/COMMENT around the
existing RUN apt-get line accordingly.

In `@enforcer/Dockerfile`:
- Around line 7-10: Remove the stale sqlite CVE rationale from the comment
block: delete or update the lines referencing "CVE-2025-6965 (requires sqlite >=
3.50.2)" so the comment only documents the actual remediation performed by the
subsequent RUN step (the CVE-2025-68121 / Go crypto/tls note) and clearly ties
the RUN apk update/upgrade apk add --no-cache --upgrade command to that purpose.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 995f7481-c528-4b98-b58f-07d72ac41176

📥 Commits

Reviewing files that changed from the base of the PR and between fa07f52 and 3b5eafe.

⛔ Files ignored due to path filters (1)

• poetry.lock is excluded by !**/*.lock

📒 Files selected for processing (4)

• Dockerfile
• enforcer/Dockerfile
• pyproject.toml
• requirements.txt