Skip to content

[ROB-0000] CVE patches #514

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Avi-Robusta wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[ROB-0000] CVE patches #514

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion enforcer/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@ ENV PATH="/app/venv/bin:$PATH"
# Patching CVE-2025-6965 (requires sqlite >= 3.50.2)
# Alpine's current version (3.51.1-r0) already includes the fix
RUN apk update && apk add --no-cache --upgrade \
sqlite-libs sqlite
sqlite-libs sqlite \
zlib
Comment on lines +10 to +11

@coderabbitai coderabbitai Bot Apr 16, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Does Alpine zlib package address CVE-2026-32597, CVE-2026-30922, or CVE-2026-22184?

💡 Result:

No, the Alpine Linux zlib package does not address CVE-2026-32597, CVE-2026-30922, or CVE-2026-22184. The official Alpine Security Tracker for the zlib source package lists no unresolved or resolved CVEs matching these identifiers. Recent vulnerabilities and specific CVE pages for known zlib issues like CVE-2026-22184 and CVE-2026-27171 exist, but these queried CVEs are absent. CVE-2026-32597 affects PyJWT (Python JSON Web Token library), not zlib. CVE-2026-30922 affects pyasn1 (Python ASN.1 library), not zlib. CVE-2026-22184 affects zlib but is tracked separately without indication of being addressed in all versions; Alpine provides zlib 1.3.2-r0 in edge/3.23-main, which fixes it per upstream (zlib <=1.3.1.2 vulnerable), but the tracker shows empty resolved/unresolved sections, implying not formally addressed as a security fix in stable branches.

Citations:

Clarify the CVE connection for the zlib addition—the referenced CVEs do not appear to be addressed by zlib.

The PR references CVE-2026-32597, CVE-2026-30922, and CVE-2026-22184, but none of these are actually addressed by the zlib package:

Either the zlib addition is unrelated to the CVEs mentioned in the PR, or the PR references incorrect CVEs. Clarify which vulnerability(ies) the zlib package is meant to address and update the PR description accordingly.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@enforcer/Dockerfile` around lines 10 - 11, The Dockerfile change adds the
zlib package but the PR links CVE-2026-32597 and CVE-2026-30922 (which affect
PyJWT and pyasn1) and CVE-2026-22184 (zlib-related) incorrectly; update the PR
and Dockerfile comment to either remove incorrect CVE references or explicitly
state that zlib is being added to address CVE-2026-22184 (and provide a
source/Alpine advisory confirming resolution), or if zlib is unrelated, remove
CVE mentions and explain the real reason for adding zlib alongside
sqlite-libs/sqlite in the Dockerfile.


# Set the working directory
WORKDIR /app/enforcer
Expand Down
3 changes: 2 additions & 1 deletion enforcer/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,6 @@ PyYAML==6.0.1
cachetools==5.3.3
prometheus-client==0.20.0
kubernetes==26.1.0
pyasn1>=0.6.2
pyasn1>=0.6.3

@coderabbitai coderabbitai Bot Apr 16, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Does pyasn1 version 0.6.3 fix CVE-2026-32597, CVE-2026-30922, or CVE-2026-22184?

💡 Result:

pyasn1 version 0.6.3 fixes CVE-2026-30922 but does not fix CVE-2026-32597 or CVE-2026-22184. CVE-2026-32597 affects PyJWT (not pyasn1). CVE-2026-22184 affects zlib (not pyasn1). No sources link these CVEs to pyasn1 or indicate fixes in 0.6.3.

Citations:

Clarify which CVEs are addressed by the pyasn1 upgrade.

pyasn1 0.6.3 addresses only CVE-2026-30922. The other two CVEs referenced in the PR are unrelated:

Update the PR description to document which CVEs are in scope, or add separate dependency updates for the other vulnerabilities if they need to be addressed.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@enforcer/requirements.txt` at line 9, The requirements.txt change pins
pyasn1>=0.6.3 but the PR text incorrectly implies it addresses multiple CVEs;
update the PR description to state that pyasn1>=0.6.3 only addresses
CVE-2026-30922 and that CVE-2026-32597 (PyJWT) and CVE-2026-22184 (zlib) are
unrelated, or alternatively add separate dependency updates/PRs to bump PyJWT
and zlib (or their wrappers) if you intend to remediate those vulnerabilities;
reference the pyasn1>=0.6.3 entry and the CVE IDs (CVE-2026-30922,
CVE-2026-32597, CVE-2026-22184) in the updated description.

PyJWT>=2.12.1
Comment on lines +9 to +10

@coderabbitai coderabbitai Bot Apr 16, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major

Inconsistent dependency versioning strategy.

Lines 9-10 use minimum version constraints (>=) while all other dependencies (lines 1-8, 11) are pinned to exact versions (==). This inconsistency can lead to non-deterministic builds and dependency resolution issues.

For security patches, it's generally safer to pin exact versions that are known to address the specific CVEs.

📌 Proposed fix to pin exact versions 
-pyasn1>=0.6.3
-PyJWT>=2.12.1
+pyasn1==0.6.3
+PyJWT==2.12.1
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
pyasn1>=0.6.3
PyJWT>=2.12.1
pyasn1==0.6.3
PyJWT==2.12.1
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@enforcer/requirements.txt` around lines 9 - 10, The requirements file mixes
minimum-version constraints with exact pins; change the two entries using >=
(pyasn1 and PyJWT) to exact pinned versions to match the rest of the file:
replace the pyasn1>=0.6.3 and PyJWT>=2.12.1 lines with
pyasn1==<approved_version> and PyJWT==<approved_version> respectively (select
the exact versions used in your lockfile or the audited versions), ensuring the
package names and equality operator are updated in enforcer/requirements.txt.

urllib3==2.6.3
6 changes: 3 additions & 3 deletions poetry.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ pillow==12.1.1 ; python_version >= "3.10" and python_full_version < "3.13"
prometheus-api-client==0.5.3 ; python_version >= "3.10" and python_full_version < "3.13"
prometrix==0.2.11; python_version >= "3.10" and python_full_version < "3.13"
pyasn1-modules==0.4.2 ; python_version >= "3.10" and python_full_version < "3.13"
pyasn1==0.6.2 ; python_version >= "3.10" and python_full_version < "3.13"
pyasn1==0.6.3 ; python_version >= "3.10" and python_full_version < "3.13"

@coderabbitai coderabbitai Bot Apr 16, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Does pyasn1 version 0.6.3 fix CVE-2026-32597, CVE-2026-30922, or CVE-2026-22184?

💡 Result:

pyasn1 version 0.6.3 fixes CVE-2026-30922 but does not fix CVE-2026-32597 or CVE-2026-22184. CVE-2026-30922 is a denial-of-service vulnerability due to unbounded recursion in the ASN.1 decoder, explicitly fixed in 0.6.3 by adding a nesting depth limit, as stated in the official CHANGES.rst and GitHub security advisory. CVE-2026-32597 affects PyJWT (not pyasn1), related to crit header parameter validation. No evidence found that CVE-2026-22184 exists or affects pyasn1; searches returned no relevant results linking it to pyasn1 or mentioning it in changelogs/advisories.

Citations:

Correct the CVE references in the PR description.

The PR references three CVEs, but only one actually applies to pyasn1:

  • CVE-2026-30922 (pyasn1): ✓ Fixed in 0.6.3 (addresses DoS via unbounded recursion by adding nesting depth limit)
  • CVE-2026-32597: Affects PyJWT, not pyasn1 (crit header parameter validation)
  • CVE-2026-22184: No evidence this CVE exists or affects pyasn1

Update the PR description to accurately reflect which vulnerabilities are being addressed.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@requirements.txt` at line 31, Update the PR description to correct the CVE
references for the pyasn1 upgrade noted in requirements.txt (the pyasn1==0.6.3
pin): explicitly state that CVE-2026-30922 applies to pyasn1 and is fixed in
0.6.3, remove CVE-2026-32597 as it applies to PyJWT (not pyasn1) and either
mention PyJWT separately if relevant, and drop CVE-2026-22184 since there is no
evidence it exists or affects pyasn1; ensure the description clearly ties the
pyasn1 change to CVE-2026-30922 only.

pydantic==1.10.15 ; python_version >= "3.10" and python_full_version < "3.13"
pygments==2.17.2 ; python_version >= "3.10" and python_full_version < "3.13"
pyparsing==3.1.2 ; python_version >= "3.10" and python_full_version < "3.13"
Expand Down
Loading