[ROB-2886] - urllib cve patches

[Avi-Robusta]

CVE-2025-66418
CVE-2025-66471

Needed to use latest version of cli for package compatibility
We removed --disable-cloud-routing from the cli 5 months ago so that had to be removed
KRR version bump

[coderabbitai]

Walkthrough

Python requirement raised to >=3.10,<3.12; multiple dependency versions updated and h2 added. Default KRR playbook image tag bumped to v1.28.0. CI workflow now installs robusta-cli from a GitHub repo URL instead of PyPI. A test helper removed the --disable-cloud-routing flag.

Changes

Cohort / File(s)	Summary
Dependency manifest pyproject.toml	Python constraint changed from ^3.9, <3.12 → >=3.10, <3.12. Dependency bumps: prometrix 0.2.5 → 0.2.9, botocore 1.31.72 → ^1.42.19, boto3 1.28.72 → ^1.42.19, urllib3 ^1.26.20 → ^2.6.2. New top-level dependency: h2 ^4.3.0.
Playbook image bump playbooks/robusta_playbooks/krr.py	Default IMAGE constant updated from .../krr:v1.27.0 → .../krr:v1.28.0 (override mechanism unchanged).
CI workflow change .github/workflows/test_robusta.yaml	robusta-cli installation source switched from PyPI to a GitHub git URL in the workflow setup step.
Test helper tweak tests/utils/robusta_utils.py	Removed the --disable-cloud-routing argument from the gen-config command list in RobustaController.gen_config.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• bump krr version #1940 — Also modified the IMAGE constant in playbooks/robusta_playbooks/krr.py to bump the KRR image tag.

Suggested reviewers

• nherment
• RoiGlinik

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change of updating urllib and other dependencies to patch CVE vulnerabilities, though it mentions urllib specifically which is one of several dependency updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The pull request description is directly related to the changeset, referencing specific CVEs, CLI compatibility updates, and version bumps that align with the file modifications.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch cve-patches

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

pyproject.toml (2)

62-62: Verify exact version pinning is intentional.

The prometrix version constraint changed from "^0.2.5" (allowing compatible minor/patch updates) to "0.2.9" (exact version). This removes semver flexibility and may prevent automatic security patches. Was this intentional, or should it be "^0.2.9"?

---

79-79: LGTM: h2 dependency added for CVE remediation.

The h2 dependency addition is appropriate for urllib3 2.x. The comment references a Dependabot security alert. Consider updating the comment to specify which CVE this addresses (if it's one of CVE-2025-66418/CVE-2025-66471 or a separate h2-specific CVE) for better documentation.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d1b0df2 and 3c77271.

⛔ Files ignored due to path filters (1)

• poetry.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• pyproject.toml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: run_tests
• GitHub Check: run_tests

🔇 Additional comments (1)

pyproject.toml (1)

75-75: urllib3 2.6.2 upgrade correctly addresses CVE-2025-66418 and CVE-2025-66471.

The upgrade from urllib3 1.26.20 to 2.6.2 properly fixes both CVEs (DoS vulnerabilities via decompression chains, affecting all versions < 2.6.0). Verification confirms no breaking changes will impact this codebase:

• No direct urllib3 imports detected
• Indirect dependencies (requests 2.32.3, botocore 1.42.19, httpx 0.27.2) all support urllib3 2.x
• Version constraint ^2.6.2 is secure and appropriate

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

playbooks/robusta_playbooks/krr.py (2)

5-5: Fix import error: NONE doesn't exist in pickle module.

The pickle module does not export NONE. This will cause an ImportError when the module is loaded.

🔎 Proposed fix

-from pickle import NONE

Then update line 451 to use the built-in None:

-    _publish_krr_finding(event=event,krr_json=params.result, scan_id=params.scan_id, start_time=params.start_time, metadata=metadata, timeout=None, config_json=NONE)
+    _publish_krr_finding(event=event,krr_json=params.result, scan_id=params.scan_id, start_time=params.start_time, metadata=metadata, timeout=None, config_json=None)

---

408-408: Fix type annotation syntax error.

The parameter config_json = Optional[str] has incorrect syntax. Type annotations should use : not =. This should be either config_json: Optional[str] or config_json: Optional[str] = None.

🔎 Proposed fix

-def _publish_krr_finding(event: ExecutionBaseEvent, krr_json: Dict[str, Any],scan_id: str, start_time: str, metadata: Dict[str, Any], timeout: Optional[str] = None, config_json = Optional[str]):
+def _publish_krr_finding(event: ExecutionBaseEvent, krr_json: Dict[str, Any], scan_id: str, start_time: str, metadata: Dict[str, Any], timeout: Optional[str] = None, config_json: Optional[str] = None):

Note: Also fixed the missing space after the comma before scan_id.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3c77271 and 4f02414.

📒 Files selected for processing (1)

• playbooks/robusta_playbooks/krr.py

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: run_tests
• GitHub Check: run_tests

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4f02414 and 2b13313.

📒 Files selected for processing (1)

• .github/workflows/test_robusta.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: run_tests
• GitHub Check: run_tests