Conversation
ubi9-micro already includes coreutils-single which conflicts with the coreutils package. Attempting to install coreutils causes dnf dependency resolution failures. ubi9-micro's coreutils-single provides all the core utilities we need (mkdir, cp, rm, cat, echo, id, chmod, chown, etc.), so we don't need to install the full coreutils package. This fixes the build-images CI failures where dnf was failing with: Problem: problem with installed package coreutils-single package coreutils conflicts with coreutils-single Changes: - Removed coreutils from all scanner and scanner-db Dockerfiles - ubi9-micro's coreutils-single is sufficient for our needs Fixes: build-images failures on all platforms Related: PR #3095 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@github-actions[bot]: No presubmit jobs available for stackrox/scanner@konflux-ubi9-rhel9-migration DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Migrates scanner, scanner-db, and vulnerabilities images from ubi9-minimal to ubi9-micro base, following established patterns from stackrox/stackrox and stackrox/collector repositories. Changes: - Scanner images: Multi-stage build with package_installer for runtime deps - Scanner-DB images: Complex migration with PostgreSQL via chroot user/locale setup - Vulnerabilities image: Simple base image change (minimal deps) - Tekton configs: Added RPM prefetch + ACTIVATION_KEY for hermetic builds - rpms.in.yaml: Scanner packages (excludes coreutils - ubi9-micro has coreutils-single) - rpms.lock.yaml: Generated lockfile for all architectures Benefits: - ~30-35% image size reduction (ubi9-micro ~28MB vs ubi9-minimal ~92MB) - Improved security - package managers removed from runtime - Reduced CVE exposure surface - Alignment with organization-wide ubi9-micro standardization Technical details: - Scanner keeps rpm package (required for image scanning functionality) - PostgreSQL user created as UID/GID 70 via chroot - Locale set to en_US.UTF-8 via chroot - Konflux builds use SHA256-pinned base images - All scripts require bash (not sh) Reference PRs: - stackrox/stackrox#17431 (scanner-db migration) - stackrox/stackrox#17430 (scanner migration) - stackrox/collector#3021 (collector migration pattern) - stackrox/stackrox#19653 (main image migration) - stackrox/stackrox#19985 (debugging utilities) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
ubi9-micro already includes coreutils-single which conflicts with the coreutils package. Attempting to install coreutils causes dnf dependency resolution failures. ubi9-micro's coreutils-single provides all the core utilities we need (mkdir, cp, rm, cat, echo, id, chmod, chown, etc.), so we don't need to install the full coreutils package. This fixes the build-images CI failures where dnf was failing with: Problem: problem with installed package coreutils-single package coreutils conflicts with coreutils-single Changes: - Removed coreutils from all scanner and scanner-db Dockerfiles - ubi9-micro's coreutils-single is sufficient for our needs Fixes: build-images failures on all platforms Related: PR #3095 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The rpms.lock.yaml file contains RPM package lockfile data for all architectures (aarch64, ppc64le, s390x, x86_64), which makes it legitimately large. This file is auto-generated by the rpm-lockfile-prototype tool and is required for hermetic Konflux builds with RPM prefetch support. Fixes: style-check CI failure Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
PGDATA is set to /var/lib/postgresql/data/pgdata, but the parent directory /var/lib/postgresql did not exist, causing the init container to crash when postgres user (uid 70) tried to create it in the root-owned /var/lib directory. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Bash is already included in ubi9-micro base image, so installing it via dnf is redundant and wastes build time. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
util-linux is not used by any scripts and is not installed in the main stackrox/stackrox repository Dockerfiles, so removing it to reduce image size and build time. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
These packages are already included in ubi9-micro base image, so they don't need to be prefetched for Konflux builds. Note: rpms.lock.yaml will be auto-regenerated by Konflux CI on next build. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Problem: scanner-db was using ubi9-minimal with multi-stage build, manually downloading and installing postgres RPMs via download.sh, creating maintenance overhead and divergence from the main postgres image pattern used in stackrox/stackrox and konflux.Dockerfile. Solution: Switch to registry.redhat.io/rhel9/postgresql-15 base image (same pattern as konflux.Dockerfile). This eliminates: - Multi-stage ubi9-micro build with chroot complexity - RPM downloads and GPG key handling - Manual postgres user creation - Complex dependency installation Now simply modifies existing postgres user to UID/GID 70 and sets up required directories. Aligns with stackrox/stackrox PR #19981. Deleted: download.sh and PGDG-RPM-GPG-KEY-RHEL (no longer needed) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Regenerated using regenerate-rpms-lockfile.sh from stackrox/collector. Removed 1461 lines of dependencies that are no longer needed since bash and util-linux were removed from rpms.in.yaml. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…e image" This reverts commit 34cc249.
Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>
Restores `, "path": "."` for rpm prefetch-input to match the original implementation from commit 92ddf64 (ROX-27638, ROX-20234). The path parameter was unintentionally removed during ubi-micro migration. The original team that added RPM prefetch support included this parameter for both gomod and rpm types, so restoring for consistency. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Reverts the file existence check added in commit 703624d as it's not required for the ubi9-micro migration. The CA cert path is always mounted in production deployments. Keeps the branch focused on ubi9-micro migration essentials only. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
janisz
changed the title
|
/test e2e-tests |
dnf installs curl as a dependency of rpm package. Since scanner only needs rpm to inspect packages in scanned images, we remove the curl binary to minimize image size (~200KB reduction). The libcurl library remains installed as it's required by rpm. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…criptions Four new Apache Log4j CVEs were published in April 2026 and added to NVD: - CVE-2026-34477: Incomplete fix for CVE-2025-68161 (hostname verification) - CVE-2026-34479: Log4j1XmlLayout XML escaping issue - CVE-2026-34480: XmlLayout XML sanitization issue - CVE-2026-34481: JsonTemplateLayout invalid JSON with non-finite floats Updated test expectations: - log4j 2.9.1: Added CVE-2026-34479, CVE-2026-34480 (now expects 8 CVEs) - log4j 2.14.0: Added all 4 new CVEs (now expects 9 CVEs) - log4j 2.12.2: Added CVE-2026-34477, CVE-2026-34479, CVE-2026-34480 (now expects 7 CVEs) - ncurses-base: Updated CVE descriptions from "MITRE CVE dictionary" to "CVE program" The scanner is correctly detecting these vulnerabilities; this commit updates the test assertions to match current NVD/Red Hat security data. Fixes TestGRPCGetImageVulnerabilities and TestImageSanity failures. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add curl removal step to Dockerfile.slim that was missing from the original fix. This ensures scanner-slim images also have curl binary removed, keeping only the libcurl library needed by rpm.
NVD updated the descriptions for CVE-2026-34477, CVE-2026-34479, CVE-2026-34480, and CVE-2026-34481. Updated test expectations to match the current descriptions with additional detail and URLs. This fixes test failures in: - TestGRPCGetImageVulnerabilities for log4j 2.9.1, 2.14.0, 2.12.2 - TestImageSanity for log4j 2.9.1, 2.14.0, 2.12.2
NVD normalizes fancy UTF-8 apostrophes (U+2019 ') to plain ASCII
apostrophes (') in CVE descriptions. Updated test expectations to match
the normalized descriptions that the scanner returns.
Fixes character length mismatches:
- CVE-2026-34480: 1083 → 1079 characters
- CVE-2026-34481: 713 → 711 characters
|
@dcaravel PTAL |
msugakov
left a comment
msugakov
left a comment
There was a problem hiding this comment.
Looks good overall, but I've a few findings.
Co-authored-by: Misha Sugakov <537715+msugakov@users.noreply.github.com>
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Remove redundant comments, add openssl for FIPS support, and use bare context to avoid dependency exclusion bugs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
BASE_REGISTRY, BASE_IMAGE, and BASE_TAG are never overridden for scanner and vulnerabilities images. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add openssl package needed for FIPS compliance - Use rpm --root=/out instead of chroot /out rpm - Add comment explaining why curl removal is needed Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Includes openssl and all transitive dependencies now that context uses bare:true instead of containerfile filtering. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
msugakov
left a comment
msugakov
left a comment
There was a problem hiding this comment.
Looks good and thanks for taking care of BASE_REGISTRY, BASE_IMAGE and BASE_TAG.
| tar && \ | ||
| chroot /out rpm -e --nodeps curl && \ | ||
| tar \ | ||
| openssl && \ |
There was a problem hiding this comment.
Here, in image/scanner/rhel/Dockerfile.slim, openssl isn't necessary because we don't distribute these images for FIPS. That'll also be consistent with how you made other upstream images, e.g. in stackrox/stackrox repo.
| tar && \ | ||
| chroot /out rpm -e --nodeps curl && \ | ||
| tar \ | ||
| openssl && \ |
There was a problem hiding this comment.
Same note about openssl not needed in the upstream image.
| @@ -1 +1 @@ | |||
| apiVersion: tekton.dev/v1 | |||
There was a problem hiding this comment.
Question (not about this line). 4.11 branches were already cut. Other containers are already migrated in 4.11 to ubi-micro except for Scanner V2 ones. What's your plan, do you want to backport this PR to release-2.40 branch after merging to master or would you leave 4.11 as-is (on ubi9-minimal)?
4 participants
Refs:
Tested: