Patch cves

[moshemorad]

No description provided.

[github-actions]

✅ Docker image ready for bba6280 (built in 37s)

• us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:bba6280

⚠️ Warning: does not support ARM (ARM images are built on release only - not on every PR)

Use this tag to pull the image for testing.

📋 Copy commands

⚠️ Temporary images are deleted after 30 days. Copy to a permanent registry before using them:

gcloud auth configure-docker us-central1-docker.pkg.dev
docker pull us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:bba6280
docker tag us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:bba6280 me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:bba6280
docker push me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:bba6280

Patch Helm values in one line:

helm upgrade --install robusta robusta/robusta \
  --reuse-values \
  --set runner.image=me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:bba6280

[coderabbitai]

Walkthrough

Adds a new CVE patching workflow doc, bumps several Python dependency constraints and pins pyasn1, and updates the Dockerfile to upgrade/remove vendored wheel/setuptools artifacts and add libc-related OS packages for CVE mitigation.

Changes

Cohort / File(s)	Summary
Documentation .claude/skills/patch-cves/SKILL.md	Added new end-to-end CVE patching workflow: multi-tool scanning (container and Python), extraction/prioritization, root-cause analysis for direct/transitive deps, upstream research, concrete patch strategies for Python and Docker layers, validation, Dockerfile annotation guidance, and troubleshooting.
Dependency Management pyproject.toml	Updated dependency constraints: werkzeug >=3.0.6 → >=3.1.6; pyjwt ^2.4.0 → ^2.12.0; urllib3 ^2.6.2 → ^2.6.3; added pyasn1 = ">=0.6.3" to pin a transitive path (addresses CVE-2026-30922).
Container Build Security Dockerfile	Install wheel>=0.46.2 during build; upgrade wheel and add setuptools>=80.10.1 in final stage; remove vendored wheel-0.45.1.dist-info and vendored wheel artifacts from copied venv; add libc6 and libc-bin (with libexpat1) in runtime apt packages for glibc-related CVE mitigation.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• ROB-1413 fix cve and remove setuptools 65.5 files from docker image. #1840: Also removes vendored setuptools/wheel artifacts and adjusts packaging in the Docker image.
• [ROB-2886] - urllib cve patches #1981: Related urllib3 dependency changes; earlier bump of urllib3 overlapping CVE fixes.

Suggested reviewers

• Avi-Robusta
• RoiGlinik
• naomi-robusta

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	No pull request description was provided by the author, making it impossible to assess whether it relates to the changeset.	Add a pull request description explaining the CVEs being patched, which dependencies/images are affected, and the rationale for the version changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Patch cves' is concise and directly related to the changeset, which comprehensively addresses CVE patching across Docker, Python dependencies, and documentation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch patch_cves

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

Dockerfile (1)

44-45: Pin the emergency wheel upgrade for reproducible builds.

These pip install calls bypass Poetry's lockfile, so >=0.46.2 means each rebuild may pull a different wheel release. NVD confirms 0.46.2 is the first version fixing CVE-2026-24049, so an exact pin ensures consistent, verifiable security patching across rebuilds.

♻️ Suggested change

-RUN pip install --no-cache-dir "wheel>=0.46.2"
+RUN pip install --no-cache-dir "wheel==0.46.2"

-RUN pip3 install --no-cache-dir "wheel>=0.46.2" \
+RUN pip3 install --no-cache-dir "wheel==0.46.2" \

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 44 - 45, Replace the non-deterministic wheel upgrade
in the Dockerfile that currently runs RUN pip install --no-cache-dir
"wheel>=0.46.2" with a deterministic, exact pin to the first fixed release;
change the pip invocation to install the specific version 0.46.2 so builds are
reproducible and consistently include the CVE-2026-24049 fix (locate the RUN pip
install "wheel>=0.46.2" line and pin it to "wheel==0.46.2").

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.claude/skills/patch-cves/SKILL.md:
- Around line 32-33: Update the comment above the `poetry check` line so it
accurately states that `poetry check` validates pyproject.toml metadata and
consistency with poetry.lock rather than scanning for CVEs; replace the current
"Check for known vulnerabilities in pyproject.toml dependencies" text with
something like "Validate pyproject.toml metadata and lockfile consistency (does
not perform vulnerability scanning)" and optionally note recommended tools for
CVE checks (e.g., `poetry-audit-plugin`, `safety`) to guide readers.
- Around line 137-142: Update the "Python Package CVEs" note that currently
reads "Go version matters for Go-based Python bindings (e.g., Cryptography)" to
reference Rust instead: change the wording to indicate that Cryptography
requires Rust for source builds (e.g., "Rust version matters for Rust-based
Python bindings (e.g., Cryptography)" or similar) so contributors are directed
to Rust when troubleshooting build failures; update the parenthetical example
and any surrounding text in SKILL.md's "Python Package CVEs" section
accordingly.
- Around line 109-123: Close the unclosed fenced code block after the pytest
snippet so "✓ **Dependency Check**" renders as a heading (i.e., add the missing
``` after "pytest tests/ -v"), and replace the deprecated "poetry lock --check"
usage by consolidating the Poetry validation into the supported command "poetry
check --lock" (remove the separate "poetry check" + "poetry lock --check" lines
and use a single "poetry check --lock" under the Dependency Check section);
refer to the "✓ **Functional Testing**"/"pytest tests/ -v" block and the "✓
**Dependency Check**"/"poetry lock --check" lines to locate the changes.

---

Nitpick comments:
In `@Dockerfile`:
- Around line 44-45: Replace the non-deterministic wheel upgrade in the
Dockerfile that currently runs RUN pip install --no-cache-dir "wheel>=0.46.2"
with a deterministic, exact pin to the first fixed release; change the pip
invocation to install the specific version 0.46.2 so builds are reproducible and
consistently include the CVE-2026-24049 fix (locate the RUN pip install
"wheel>=0.46.2" line and pin it to "wheel==0.46.2").

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 625a40e1-31fa-41a1-bf1f-6af2949ee8cb

📥 Commits

Reviewing files that changed from the base of the PR and between 14d6ba5 and 70a1eac.

⛔ Files ignored due to path filters (1)

• poetry.lock is excluded by !**/*.lock

📒 Files selected for processing (3)

• .claude/skills/patch-cves/SKILL.md
• Dockerfile
• pyproject.toml

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

.claude/skills/patch-cves/SKILL.md (1)

141-141: ⚠️ Potential issue | 🟡 Minor

Use Rust (not Go) for the Cryptography build-toolchain note.

Line 141 is still misleading for CVE troubleshooting; Cryptography source builds require Rust toolchain.

Suggested fix

-- Go version matters for Go-based Python bindings (e.g., Cryptography)
+- Rust version matters for Rust-backed Python packages that may need source builds (e.g., Cryptography)

According to the official pyca/cryptography installation docs, which toolchain is required for source builds: Go or Rust?

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/skills/patch-cves/SKILL.md at line 141, The line stating "Go version
matters for Go-based Python bindings (e.g., Cryptography)" is incorrect for
Cryptography; update the note to reference Rust (not Go) as the required
toolchain for pyca/cryptography source builds. Locate the string "Go version
matters for Go-based Python bindings (e.g., Cryptography)" in SKILL.md and
replace it with wording like "Rust toolchain matters for Python packages built
from source (e.g., Cryptography)" and ensure any CVE troubleshooting guidance
that mentions Go is updated to mention Rust toolchain requirements instead.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.claude/skills/patch-cves/SKILL.md:
- Line 15: Remove the stray token "etails" on line 15 of SKILL.md that
interrupts the document flow; open the SKILL.md content (look for the lone
"etails" token between sections) and delete that token so the surrounding
paragraphs/sections read correctly and no extra stray text remains.
- Around line 52-60: The fenced code block containing the CVE examples (the
triple-backtick block that begins before "CVE-XXXX-XXXXX...") is missing a
language identifier; update that opening fence from ``` to ```text so the block
is declared as text (as suggested) to satisfy MD040 and improve
linting/rendering for the examples.

---

Duplicate comments:
In @.claude/skills/patch-cves/SKILL.md:
- Line 141: The line stating "Go version matters for Go-based Python bindings
(e.g., Cryptography)" is incorrect for Cryptography; update the note to
reference Rust (not Go) as the required toolchain for pyca/cryptography source
builds. Locate the string "Go version matters for Go-based Python bindings
(e.g., Cryptography)" in SKILL.md and replace it with wording like "Rust
toolchain matters for Python packages built from source (e.g., Cryptography)"
and ensure any CVE troubleshooting guidance that mentions Go is updated to
mention Rust toolchain requirements instead.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7d1c0132-977c-4b1a-85d2-d5190b6714a3

📥 Commits

Reviewing files that changed from the base of the PR and between 70a1eac and 0f72094.

⛔ Files ignored due to path filters (1)

• poetry.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• .claude/skills/patch-cves/SKILL.md
• Dockerfile

🚧 Files skipped from review as they are similar to previous changes (1)

• Dockerfile

[coderabbitai]

♻️ Duplicate comments (2)

.claude/skills/patch-cves/SKILL.md (2)

140-140: ⚠️ Potential issue | 🟡 Minor

Replace “Go” with “Rust” for Cryptography build guidance.

Line 140 is technically incorrect for current Python cryptography source-build troubleshooting; this should reference Rust, not Go.

Suggested fix

-- Go version matters for Go-based Python bindings (e.g., Cryptography)
+- Rust version matters for Rust-backed Python packages that may need source builds (e.g., Cryptography)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/skills/patch-cves/SKILL.md at line 140, Update the guidance text
that currently says "Go version matters for Go-based Python bindings (e.g.,
Cryptography)" to reference Rust instead of Go; locate the phrase "Go version
matters for Go-based Python bindings (e.g., Cryptography)" and change it to
mention Rust (e.g., "Rust toolchain matters for Rust-based Python bindings
(e.g., cryptography)") so the cryptography source-build troubleshooting is
accurate.

---

51-59: ⚠️ Potential issue | 🟡 Minor

Add a language identifier to the fenced CVE example block.

Line 51 opens a fenced code block without a language, which triggers MD040.

Suggested fix

-```
+```text
 CVE-XXXX-XXXXX (Critical): Package X - affects >=1.0.0,<1.2.0
   Fixed in: 1.2.5
   Status: Needs patching
@@
 CVE-YYYY-YYYYY (High): Package Y - affects >=2.0.0,<2.1.0
   Fixed in: 2.1.3
   Status: Needs patching

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @.claude/skills/patch-cves/SKILL.md around lines 51 - 59, The fenced CVE
example block opens without a language identifier (triggering MD040); update the
opening fence of the example block in SKILL.md to include a language label
(e.g., add "text" after the initial ), so the block starts with text and
the rest of the lines remain unchanged to satisfy the markdown linter.

</details>

</blockquote></details>

</blockquote></details>

<details>
<summary>🤖 Prompt for all review comments with AI agents</summary>

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.claude/skills/patch-cves/SKILL.md:

• Line 140: Update the guidance text that currently says "Go version matters for
  Go-based Python bindings (e.g., Cryptography)" to reference Rust instead of Go;
  locate the phrase "Go version matters for Go-based Python bindings (e.g.,
  Cryptography)" and change it to mention Rust (e.g., "Rust toolchain matters for
  Rust-based Python bindings (e.g., cryptography)") so the cryptography
  source-build troubleshooting is accurate.
• Around line 51-59: The fenced CVE example block opens without a language
  identifier (triggering MD040); update the opening fence of the example block in
  SKILL.md to include a language label (e.g., add "text" after the initial ), so the block starts with text and the rest of the lines remain unchanged to
  satisfy the markdown linter.

</details>

---

<details>
<summary>ℹ️ Review info</summary>

<details>
<summary>⚙️ Run configuration</summary>

**Configuration used**: Organization UI

**Review profile**: CHILL

**Plan**: Pro

**Run ID**: `59829c5d-a4dd-48e1-9923-ec248dfbf5c2`

</details>

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between 0f72094435720b8986aa55be1d1beeba45d0076f and d3a2dfaad9371595e7479dfe1f0824fb714306a9.

</details>

<details>
<summary>📒 Files selected for processing (1)</summary>

* `.claude/skills/patch-cves/SKILL.md`

</details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->