From bd0ba19601bbcc54bfb67afbd93de429c2b2c25c Mon Sep 17 00:00:00 2001
From: Misha Sugakov <537715+msugakov@users.noreply.github.com>
Date: Wed, 15 Oct 2025 11:39:36 +0200
Subject: [PATCH 1/2] ROX-30918, ROX-31049: Update labels, fix docker mediaType
 (#2300)

---
 .tekton/scanner-build.yaml              |  4 ++++
 .tekton/scanner-component-pipeline.yaml | 25 +++++++++++++++++++++++++
 .tekton/scanner-db-build.yaml           |  4 ++++
 .tekton/scanner-db-slim-build.yaml      |  4 ++++
 .tekton/scanner-slim-build.yaml         |  4 ++++
 image/db/rhel/konflux.Dockerfile        |  4 ++--
 image/scanner/rhel/konflux.Dockerfile   |  4 ++--
 7 files changed, 45 insertions(+), 4 deletions(-)

diff --git a/.tekton/scanner-build.yaml b/.tekton/scanner-build.yaml
index 8e13de444..e97308b3a 100644
--- a/.tekton/scanner-build.yaml
+++ b/.tekton/scanner-build.yaml
@@ -53,6 +53,10 @@ spec:
     value: 'true'
   - name: blobs-to-fetch
     value: [ 'nvd-definitions.zip', 'k8s-definitions.zip', 'repo2cpe.zip', 'genesis_manifests.json' ]
+  - name: extra-labels
+    value:
+    # X.Y in the cpe label must be adjusted for every version stream.
+    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
 
   workspaces:
   - name: git-auth
diff --git a/.tekton/scanner-component-pipeline.yaml b/.tekton/scanner-component-pipeline.yaml
index 697d7591d..22a002c1b 100644
--- a/.tekton/scanner-component-pipeline.yaml
+++ b/.tekton/scanner-component-pipeline.yaml
@@ -120,6 +120,9 @@ spec:
     default: docker
     type: string
     description: The format for the resulting image's mediaType. Valid values are oci or docker.
+  - name: extra-labels
+    type: array
+    description: Additional labels to put on the built containers.
   results:
   - description: ""
     name: IMAGE_URL
@@ -293,6 +296,10 @@ spec:
       value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
     - name: BUILDAH_FORMAT
       value: $(params.buildah-format)
+    - name: LABELS
+      value: ["$(params.extra-labels[*])"]
+    - name: BUILD_TIMESTAMP
+      value: "$(tasks.clone-repository.results.commit-timestamp)"
     taskRef:
       params:
       - name: name
@@ -333,6 +340,12 @@ spec:
       value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
     - name: PLATFORM
       value: linux/s390x
+    - name: BUILDAH_FORMAT
+      value: $(params.buildah-format)
+    - name: LABELS
+      value: ["$(params.extra-labels[*])"]
+    - name: BUILD_TIMESTAMP
+      value: "$(tasks.clone-repository.results.commit-timestamp)"
     taskRef:
       params:
       - name: name
@@ -373,6 +386,12 @@ spec:
       value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
     - name: PLATFORM
       value: linux/ppc64le
+    - name: BUILDAH_FORMAT
+      value: $(params.buildah-format)
+    - name: LABELS
+      value: ["$(params.extra-labels[*])"]
+    - name: BUILD_TIMESTAMP
+      value: "$(tasks.clone-repository.results.commit-timestamp)"
     taskRef:
       params:
       - name: name
@@ -413,6 +432,12 @@ spec:
       value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
     - name: PLATFORM
       value: linux/arm64
+    - name: BUILDAH_FORMAT
+      value: $(params.buildah-format)
+    - name: LABELS
+      value: ["$(params.extra-labels[*])"]
+    - name: BUILD_TIMESTAMP
+      value: "$(tasks.clone-repository.results.commit-timestamp)"
     taskRef:
       params:
       - name: name
diff --git a/.tekton/scanner-db-build.yaml b/.tekton/scanner-db-build.yaml
index ea43f6c7b..c386ed7df 100644
--- a/.tekton/scanner-db-build.yaml
+++ b/.tekton/scanner-db-build.yaml
@@ -50,6 +50,10 @@ spec:
     value: 'true'
   - name: blobs-to-fetch
     value: [ 'pg-definitions.sql.gz' ]
+  - name: extra-labels
+    value:
+    # X.Y in the cpe label must be adjusted for every version stream.
+    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
 
   workspaces:
   - name: git-auth
diff --git a/.tekton/scanner-db-slim-build.yaml b/.tekton/scanner-db-slim-build.yaml
index 3fd222eae..0d1d09c04 100644
--- a/.tekton/scanner-db-slim-build.yaml
+++ b/.tekton/scanner-db-slim-build.yaml
@@ -50,6 +50,10 @@ spec:
     value: 'true'
   - name: blobs-to-fetch
     value: [ ]
+  - name: extra-labels
+    value:
+    # X.Y in the cpe label must be adjusted for every version stream.
+    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
 
   workspaces:
   - name: git-auth
diff --git a/.tekton/scanner-slim-build.yaml b/.tekton/scanner-slim-build.yaml
index e486fd645..32eac14b8 100644
--- a/.tekton/scanner-slim-build.yaml
+++ b/.tekton/scanner-slim-build.yaml
@@ -53,6 +53,10 @@ spec:
     value: 'true'
   - name: blobs-to-fetch
     value: [ 'nvd-definitions.zip', 'k8s-definitions.zip', 'repo2cpe.zip', 'genesis_manifests.json' ]
+  - name: extra-labels
+    value:
+    # X.Y in the cpe label must be adjusted for every version stream.
+    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
 
   workspaces:
   - name: git-auth
diff --git a/image/db/rhel/konflux.Dockerfile b/image/db/rhel/konflux.Dockerfile
index 8469e6e87..2ae9be3d1 100644
--- a/image/db/rhel/konflux.Dockerfile
+++ b/image/db/rhel/konflux.Dockerfile
@@ -57,7 +57,7 @@ FROM scanner-db-common AS scanner-db-slim
 LABEL \
     com.redhat.component="rhacs-scanner-db-slim-container" \
     io.k8s.display-name="scanner-db-slim" \
-    name="rhacs-scanner-db-slim-rhel8"
+    name="advanced-cluster-security/rhacs-scanner-db-slim-rhel8"
 
 ENV ROX_SLIM_MODE="true"
 
@@ -67,7 +67,7 @@ FROM scanner-db-common AS scanner-db
 LABEL \
     com.redhat.component="rhacs-scanner-db-container" \
     io.k8s.display-name="scanner-db" \
-    name="rhacs-scanner-db-rhel8"
+    name="advanced-cluster-security/rhacs-scanner-db-rhel8"
 
 COPY --chown=0:0 .konflux/scanner-data/blob-pg-definitions.sql.gz \
      /docker-entrypoint-initdb.d/definitions.sql.gz
diff --git a/image/scanner/rhel/konflux.Dockerfile b/image/scanner/rhel/konflux.Dockerfile
index bc16aaeee..a2b6e97b8 100644
--- a/image/scanner/rhel/konflux.Dockerfile
+++ b/image/scanner/rhel/konflux.Dockerfile
@@ -85,7 +85,7 @@ FROM scanner-common AS scanner-slim
 LABEL \
     com.redhat.component="rhacs-scanner-slim-container" \
     io.k8s.display-name="scanner-slim" \
-    name="rhacs-scanner-slim-rhel8"
+    name="advanced-cluster-security/rhacs-scanner-slim-rhel8"
 
 ENV ROX_SLIM_MODE="true"
 
@@ -96,7 +96,7 @@ FROM scanner-common AS scanner
 LABEL \
     com.redhat.component="rhacs-scanner-container" \
     io.k8s.display-name="scanner" \
-    name="rhacs-scanner-rhel8"
+    name="advanced-cluster-security/rhacs-scanner-rhel8"
 
 ENV NVD_DEFINITIONS_DIR="/nvd_definitions"
 ENV K8S_DEFINITIONS_DIR="/k8s_definitions"

From 2bae8675084ba5aced85cea2536a8c9792b0a86b Mon Sep 17 00:00:00 2001
From: Misha Sugakov <msugakov@redhat.com>
Date: Wed, 15 Oct 2025 11:56:01 +0200
Subject: [PATCH 2/2] Actually update the CPE label

---
 .tekton/scanner-build.yaml         | 2 +-
 .tekton/scanner-db-build.yaml      | 2 +-
 .tekton/scanner-db-slim-build.yaml | 2 +-
 .tekton/scanner-slim-build.yaml    | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.tekton/scanner-build.yaml b/.tekton/scanner-build.yaml
index e97308b3a..62a9db6d0 100644
--- a/.tekton/scanner-build.yaml
+++ b/.tekton/scanner-build.yaml
@@ -56,7 +56,7 @@ spec:
   - name: extra-labels
     value:
     # X.Y in the cpe label must be adjusted for every version stream.
-    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
+    - "cpe=cpe:/a:redhat:advanced_cluster_security:4.9::el8"
 
   workspaces:
   - name: git-auth
diff --git a/.tekton/scanner-db-build.yaml b/.tekton/scanner-db-build.yaml
index c386ed7df..cdb1737f3 100644
--- a/.tekton/scanner-db-build.yaml
+++ b/.tekton/scanner-db-build.yaml
@@ -53,7 +53,7 @@ spec:
   - name: extra-labels
     value:
     # X.Y in the cpe label must be adjusted for every version stream.
-    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
+    - "cpe=cpe:/a:redhat:advanced_cluster_security:4.9::el8"
 
   workspaces:
   - name: git-auth
diff --git a/.tekton/scanner-db-slim-build.yaml b/.tekton/scanner-db-slim-build.yaml
index 0d1d09c04..1e6b58fad 100644
--- a/.tekton/scanner-db-slim-build.yaml
+++ b/.tekton/scanner-db-slim-build.yaml
@@ -53,7 +53,7 @@ spec:
   - name: extra-labels
     value:
     # X.Y in the cpe label must be adjusted for every version stream.
-    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
+    - "cpe=cpe:/a:redhat:advanced_cluster_security:4.9::el8"
 
   workspaces:
   - name: git-auth
diff --git a/.tekton/scanner-slim-build.yaml b/.tekton/scanner-slim-build.yaml
index 32eac14b8..b31b2e2db 100644
--- a/.tekton/scanner-slim-build.yaml
+++ b/.tekton/scanner-slim-build.yaml
@@ -56,7 +56,7 @@ spec:
   - name: extra-labels
     value:
     # X.Y in the cpe label must be adjusted for every version stream.
-    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
+    - "cpe=cpe:/a:redhat:advanced_cluster_security:4.9::el8"
 
   workspaces:
   - name: git-auth