[ROB-2920] CVE patches enforcer

[Avi-Robusta]

CVE-2025-66418
CVE-2025-66471
tested it works

[coderabbitai]

Walkthrough

Updates the enforcer component by removing explicit sqlite version pins in the Dockerfile to rely on distro-provided versions instead, adds urllib3==2.6.2 to Python dependencies, and bumps the helm chart image tag from 0.3.5 to 0.3.6.

Changes

Cohort / File(s)	Summary
Docker & Python Dependencies enforcer/Dockerfile, enforcer/requirements.txt	Removed explicit version pins for sqlite packages in Dockerfile APK install step; added comments referencing CVE patch requirements (sqlite >= 3.50.2) and noting Alpine 3.51.1-r0 includes the fix. Added urllib3==2.6.2 to Python dependencies.
Helm Configuration helm/krr-enforcer/values.yaml	Bumped krr-enforcer container image tag from 0.3.5 to 0.3.6.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• [ROB-1911] close cve in enforcer CVE-2025-6965 #464: Modifies enforcer/Dockerfile sqlite installation approach; the retrieved PR adds a specific sqlite version while this PR removes explicit version pins to rely on distro-provided versions.
• Enforcer version 0.3.5 #488: Affects the same helm/krr-enforcer/values.yaml image tag and enforcer/requirements.txt files with related dependency changes.
• [ROB-2885] CVE patches #493: Updates urllib3 dependency to 2.6.2; both PRs align on this specific version constraint.

Suggested reviewers

• arikalon1
• Sheeproid

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly indicates CVE patches for the enforcer component, which aligns with the main changes addressing CVE-2025-66418 and CVE-2025-66471.
Description check	✅ Passed	The description lists the two CVEs being patched and confirms testing, which is directly related to the changeset's purpose of addressing these vulnerabilities.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch cve_patches

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4c03971 and ea7b390.

📒 Files selected for processing (3)

• enforcer/Dockerfile
• enforcer/requirements.txt
• helm/krr-enforcer/values.yaml

🔇 Additional comments (2)

helm/krr-enforcer/values.yaml (1)

14-14: LGTM!

The image tag bump from 0.3.5 to 0.3.6 correctly aligns with the updated container image that includes the CVE patches.

enforcer/requirements.txt (1)

9-9: Remove this comment — no issues to address.

urllib3==2.6.2 fully addresses both CVE-2025-66418 and CVE-2025-66471 (both fixed in 2.6.0). Kubernetes 26.1.0 specifies urllib3 (>=1.24.2), a lower-bound requirement only, so pinning to 2.6.2 creates no version conflicts and is compatible.

Likely an incorrect or invalid review comment.