Merge branch 'master' into claude/add-mute-intervals-config-aa1kI

Author: Sheeproid

.claude/skills/patch-cves/SKILL.md

@@ -0,0 +1,183 @@
+# Patching CVEs in Robusta: Automated Workflow
+
+This skill automates the process of identifying and patching CVE vulnerabilities in the Robusta Docker image and Python dependencies, focusing on critical, high, and medium severity issues.
+
+## Overview
+
+The workflow follows this systematic process:
+
+1. **Vulnerability Scanning** - Identify all CVEs in dependencies and Docker image
+2. **Severity Filtering** - Focus on critical, high, and medium severity issues
+3. **Root Cause Analysis** - Determine which packages/dependencies introduce vulnerabilities
+4. **Upstream Research** - Check if newer releases already include fixes
+5. **Patch Implementation** - Apply fixes via dependency upgrades or Dockerfile changes
+6. **Validation** - Verify CVE fixes and ensure application functionality
+
+## Step-by-Step Process
+
+### 1. Vulnerability Scanning
+
+Use multiple scanning tools to identify vulnerabilities:
+
+```bash
+# Scan Docker image for vulnerabilities
+docker build -t robusta:latest .
+docker scout cves robusta:latest
+
+# Scan Python dependencies for vulnerabilities
+pip-audit
+safety check
+
+# Validate pyproject.toml metadata and lockfile consistency (does not perform vulnerability scanning)
+poetry check
+# For CVE scanning of Python dependencies, use pip-audit, safety, or poetry-audit-plugin
+```
+
+**What to extract:**
+- Affected package name and version
+- CVE ID and severity level
+- Fixed version (if available)
+- Affected version range
+
+### 2. Severity Filtering
+
+Process vulnerabilities in this order:
+1. **Critical** - Must be fixed before release
+2. **High** - Should be fixed before release
+3. **Medium** - Fix when safe and non-breaking
+
+Create a prioritized list and document each CVE:
+
+```
+CVE-XXXX-XXXXX (Critical): Package X - affects >=1.0.0,<1.2.0
+  Fixed in: 1.2.5
+  Status: Needs patching
+
+CVE-YYYY-YYYYY (High): Package Y - affects >=2.0.0,<2.1.0
+  Fixed in: 2.1.3
+  Status: Needs patching
+```
+
+### 3. Python Dependency Patches
+
+Two main strategies:
+
+**Strategy A: Direct Upgrade (Preferred)**
+- Check `poetry.lock` for affected packages
+- Update `pyproject.toml` with patched version
+- Run `poetry update package-name`
+- Verify in `poetry.lock` that lock file has updated to fixed version
+
+**Strategy B: Transitive Dependency Fix**
+- Identify the parent package bringing in vulnerable version
+- Upgrade parent package to one with updated dependencies
+- This automatically pulls in the fixed transitive dependency
+
+
+### 4. Dockerfile Patches
+
+For system-level vulnerabilities (non-Python packages):
+
+**Strategy A: Upgrade Base Image**
+- Check if newer Python 3.11-slim image includes fixes
+- Update FROM statement: `FROM python:3.11-slim` → newer version
+
+**Strategy B: Explicit Package Installation**
+- Add specific package upgrade in RUN commands
+- Example: `apt-get install -y libssl3` for OpenSSL CVEs
+
+**Strategy C: Apply Patches**
+- Use patching tools for targeted fixes in builder stage
+- Document with comments explaining which CVEs are fixed
+
+### 5. Validation Checklist
+
+✓ **CVE Verification**
+- Run `docker scout cves` again on patched image
+- Confirm target CVE no longer appears
+- Note any remaining high/critical issues for tracking
+
+✓ **Build Verification**
+```bash
+# Build the Docker image
+docker build -t robusta:test .
+
+# Verify build succeeds with no errors
+echo "Build successful"
+```
+
+✓ **Functional Testing**
+```bash
+# Run basic smoke tests
+pytest tests/ -v
+```
+
+✓ **Dependency Check**
+```bash
+# Verify no new vulnerabilities introduced
+docker scout cves robusta:test --no-cache
+
+# Validate pyproject.toml metadata and lockfile consistency
+poetry check --lock
+```
+
+### 6. Documentation
+
+Update these files with CVE fix details:
+
+**Dockerfile Comments:**
+```dockerfile
+# Patching CVE-XXXX-XXXXX (Critical): Package X
+RUN apt-get install -y package-name
+```
+
+## Key Considerations
+
+### Python Package CVEs
+- Check if vulnerability is in the installed wheel vs source
+- For indirect dependencies, finding the transitive source is critical
+- Use `poetry why package-name` to understand dependency relationships
+- Go version matters for Go-based Python bindings (e.g., Cryptography)
+
+### System Library CVEs
+- libexpat1, libssl, libc vulnerabilities are common
+- These often have fixes in newer base images
+- When possible, upgrade the base Python image before manual fixes
+
+### Testing Strategy
+- Always rebuild and scan after each patch
+- One CVE at a time is safer; group similar fixes together
+- Document any CVEs that can't be patched with reasoning
+
+### Breaking Changes
+- Verify patched versions don't introduce breaking changes
+- Check release notes and migration guides
+- Run full test suite, not just smoke tests for major upgrades
+
+## Implementation Notes
+
+1. Work through CVEs in severity order (Critical → High → Medium)
+2. For each CVE, follow the complete cycle: identify → research → patch → validate
+3. Commit each logical group of fixes separately
+4. Keep diagnostics available: `docker scout cves` output, dependency trees, test results
+5. If a patch can't be safely applied, document why in the code comments
+
+## Common Issues and Solutions
+
+### Issue: Patch introduces breaking changes
+**Solution:**
+1. Check if breaking change is in major version bump
+2. Review if dependency needs to be pinned differently
+3. Consider if a workaround exists (e.g., compatibility shim)
+
+### Issue: Transitive dependency is vulnerable
+**Solution:**
+1. Find which package brings it in: `poetry why vulnerable-package`
+2. Update the parent package instead
+3. Re-lock dependencies and verify fix
+
+### Issue: CVE disappears after unrelated patch
+**Solution:**
+1. Good sign - often due to transitive dependency updates
+2. Still verify with `docker scout cves` on final image
+3. Update documentation to credit upstream fixes

Dockerfile

@@ -11,7 +11,7 @@ RUN apt-get update \
 RUN mkdir /app
 WORKDIR /app
 
-RUN curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.33/deb/Release.key -o /app/Release.key
+RUN curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.35/deb/Release.key -o /app/Release.key
 
 ENV ENV_TYPE=DEV
 
@@ -41,6 +41,9 @@ RUN poetry install --without dev --extras "all"
 COPY playbooks/ /etc/robusta/playbooks/defaults
 RUN pip install --no-cache-dir /etc/robusta/playbooks/defaults
 
+# Patching CVE-2026-24049 (High): wheel path traversal vulnerability
+RUN pip install --no-cache-dir "wheel>=0.46.2"
+
 # Fixes k8s library bug - see https://github.com/kubernetes-client/python/issues/1867#issuecomment-1353813412
 RUN find /app/venv/lib/python*/site-packages/kubernetes/client/rest.py -type f -exec sed -i 's:^\(.*logger.*\)$:#\1:' {} \;
 
@@ -66,11 +69,12 @@ WORKDIR /app
 
 # Install necessary packages for the runtime environment
 # We're installing here libexpat1, to upgrade the package to include a fix to 3 high CVEs. CVE-2024-45491,CVE-2024-45490,CVE-2024-45492
+# Patching glibc for CVE-2026-0861, CVE-2026-0915, CVE-2025-15281
 RUN apt-get update \
     && dpkg --add-architecture arm64 \
     && pip3 install --no-cache-dir --upgrade pip \
     && apt-get install -y --no-install-recommends git ssh curl libcairo2 apt-transport-https gnupg2 \
-    && apt-get install -y --no-install-recommends libexpat1 \
+    && apt-get install -y --no-install-recommends libexpat1 libc6 libc-bin \
     && rm -rf /var/lib/apt/lists/*
 
 
@@ -81,17 +85,24 @@ RUN git config --global core.symlinks false
 RUN rm -rf /usr/local/lib/python3.11/ensurepip/_bundled/setuptools-65.5.0-py3-none-any.whl
 RUN rm -rf /usr/local/lib/python3.11/site-packages/setuptools-65.5.1.dist-info
 
+# Patching CVE-2026-24049 (High): wheel path traversal vulnerability
+# Patching CVE-2026-23949 (High): jaraco.context path traversal vulnerability (vendored in setuptools)
+RUN pip3 install --no-cache-dir "wheel>=0.46.2" "setuptools>=80.10.1" \
+    && rm -rf /usr/local/lib/python3.11/site-packages/setuptools/_vendor/wheel-0.45.1.dist-info
+
 COPY --from=builder /app/venv /venv
 COPY --from=builder /etc/robusta/playbooks/defaults /etc/robusta/playbooks/defaults
 # Copy virtual environment and application files from the build stage
 COPY --from=builder /app /app
 # remove duplicated /app/venv - already copied to /venv
 RUN rm -rf /app/venv
+# Remove vendored wheel 0.45.1 from setuptools in venv (CVE-2026-24049)
+RUN rm -rf /venv/lib/python3.11/site-packages/setuptools/_vendor/wheel*
 
 # Set up kubectl
 COPY --from=builder /app/Release.key /tmp/Release.key
 RUN cat /tmp/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg \
-    && echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.33/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list \
+    && echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.35/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list \
     && apt-get update \
     && apt-get install -y kubectl \
     && rm -rf /var/lib/apt/lists/* \

helm/robusta/Chart.lock

@@ -4,6 +4,6 @@ dependencies:
   version: 72.0.1
 - name: holmes
   repository: https://robusta-charts.storage.googleapis.com
-  version: 0.20.0
-digest: sha256:003685b2477edb5882fb7733eab823b78f06b0034628b4fc2b62fdf510c4e893
-generated: "2026-02-23T22:29:28.355211+02:00"
+  version: 0.22.0
+digest: sha256:25904ebd20cdfb516d243978d343beb438abc6436f96dbc70253d5a710580fe7
+generated: "2026-03-18T16:02:40.520552+02:00"

helm/robusta/Chart.yaml

@@ -15,6 +15,6 @@ dependencies:
     condition: enablePrometheusStack
     repository: "https://prometheus-community.github.io/helm-charts"
   - name: holmes
-    version: 0.20.0
+    version: 0.22.0
     condition: enableHolmesGPT
     repository: "https://robusta-charts.storage.googleapis.com"

helm/robusta/charts/holmes-0.20.0.tgz

@@ -38,6 +38,9 @@ automountServiceAccountToken: true
 
 enableHolmesGPT: false
 
+holmes:
+  sentryDSN: "https://aa95c183188a6ddf134ebfffe85fd108@o4510692373299200.ingest.de.sentry.io/4510707946094672"
+
 # see https://docs.robusta.dev/master/user-guide/configuration.html#global-config and https://docs.robusta.dev/master/configuration/additional-settings.html#global-config
 globalConfig:
   check_prometheus_flags: true
@@ -627,7 +630,7 @@ image:
 # parameters for the robusta forwarder deployment
 kubewatch:
   image: ~ # image can be used to override image.registry/imageName
-  imageName: kubewatch:v2.12.0
+  imageName: kubewatch:v2.13.0
   imagePullPolicy: IfNotPresent
   revisionHistoryLimit: 10
   pprof: True

helm/robusta/charts/holmes-0.22.0.tgz

@@ -189,7 +189,7 @@ class AlertExplanationParams(ActionParams):
     :var recommended_resolution: A recommended resolution for the alert
     """
 
-    alert_explanation: str
+    alert_explanation: Optional[str]
     recommended_resolution: Optional[str]
 
 
@@ -198,12 +198,15 @@ def alert_explanation_enricher(alert: PrometheusKubernetesAlert, params: AlertEx
     """
     Enrich the finding an explanation and recommendation of how to resolve the issue
     """
-    blocks = [MarkdownBlock(f"{Emojis.Explain.value} *Alert Explanation:* {params.alert_explanation}")]
+    blocks = []
+    if params.alert_explanation:
+        blocks.append(MarkdownBlock(f"{Emojis.Explain.value} *Alert Explanation:* {params.alert_explanation}"))
     if params.recommended_resolution:
-        resolution_block = MarkdownBlock(
-            f"{Emojis.Recommend.value} *Robusta's Recommendation:* {params.recommended_resolution}"
+        blocks.append(
+            MarkdownBlock(f"{Emojis.Recommend.value} *Robusta's Recommendation:* {params.recommended_resolution}")
         )
-        blocks.append(resolution_block)
+    if not blocks:
+        return
     alert.add_enrichment(
         blocks,
         annotations={SlackAnnotations.UNFURL: False},