From e53f27068e07afc9ec930153bf51d19dfbe988f2 Mon Sep 17 00:00:00 2001 From: "avi@robusta.dev" Date: Tue, 14 Jul 2026 10:43:43 +0300 Subject: [PATCH 1/2] krr-enforcer: bump to 0.3.8 (fresh CVE-patched image) Rebuild to clear stale Vanta findings: the openssl/libcrypto3 (9 HIGH/CRIT) and cryptography advisories were fixed in code but Vanta was scanning the old 0.3.7 SHA. Fresh multi-arch 0.3.8 build pushed with a current base image. Co-Authored-By: Claude Opus 4.8 (1M context) --- helm/krr-enforcer/Chart.yaml | 4 ++-- helm/krr-enforcer/values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/helm/krr-enforcer/Chart.yaml b/helm/krr-enforcer/Chart.yaml index c6b7e793..a9c2478f 100644 --- a/helm/krr-enforcer/Chart.yaml +++ b/helm/krr-enforcer/Chart.yaml @@ -3,5 +3,5 @@ name: krr-enforcer description: KRR enforcer - auto apply KRR recommendations type: application -version: 0.3.5 -appVersion: 0.3.5 +version: 0.3.8 +appVersion: 0.3.8 diff --git a/helm/krr-enforcer/values.yaml b/helm/krr-enforcer/values.yaml index 030d2ec0..088cdf53 100644 --- a/helm/krr-enforcer/values.yaml +++ b/helm/krr-enforcer/values.yaml @@ -11,7 +11,7 @@ certJob: image: repository: us-central1-docker.pkg.dev/genuine-flight-317411/devel name: krr-enforcer - tag: 0.3.6 + tag: 0.3.8 imagePullPolicy: IfNotPresent resources: requests: From cc13e1bee3ff470fe2279212463ab0d46debb103 Mon Sep 17 00:00:00 2001 From: "avi@robusta.dev" Date: Tue, 14 Jul 2026 14:04:08 +0300 Subject: [PATCH 2/2] enforcer: real-fix starlette + urllib3 CVEs The 0.3.8 requirements pinned urllib3==2.6.3 (still vulnerable) and fastapi==0.121.3 which caps starlette <0.51 (leaving the starlette CVEs unfixable). Bump so the CVEs actually resolve: - urllib3 2.6.3 -> 2.7.0 (CVE-2026-44431, CVE-2026-44432) - fastapi 0.121.3 -> 0.139.0 (allows starlette >=0.46, drops the <0.51 cap) - add starlette>=1.0.0 (CVE-2026-48818, 54283, 48710, 48817, 54282; fix only in 1.x) - pydantic 2.6.1 -> 2.13.4 (required by fastapi 0.139.0) docker scout now reports no vulnerable packages in the enforcer image. Co-Authored-By: Claude Opus 4.8 (1M context) --- enforcer/requirements.txt | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/enforcer/requirements.txt b/enforcer/requirements.txt index 75e1cbf7..0d939f62 100644 --- a/enforcer/requirements.txt +++ b/enforcer/requirements.txt @@ -1,10 +1,11 @@ -fastapi==0.121.3 +fastapi==0.139.0 uvicorn==0.27.1 -pydantic==2.6.1 +pydantic==2.13.4 +starlette>=1.0.0 supabase==2.5 PyYAML==6.0.1 cachetools==5.3.3 prometheus-client==0.20.0 kubernetes==26.1.0 pyasn1>=0.6.2 -urllib3==2.6.3 +urllib3==2.7.0