From 36f3f0ae490aa89db425b6faa25231cb00b174fb Mon Sep 17 00:00:00 2001 From: Misha Sugakov <537715+msugakov@users.noreply.github.com> Date: Wed, 15 Oct 2025 11:39:36 +0200 Subject: [PATCH 1/3] ROX-30918, ROX-31049: Update labels, fix docker mediaType (#2300) --- .tekton/scanner-build.yaml | 4 ++++ .tekton/scanner-component-pipeline.yaml | 25 +++++++++++++++++++++++++ .tekton/scanner-db-build.yaml | 4 ++++ .tekton/scanner-db-slim-build.yaml | 4 ++++ .tekton/scanner-slim-build.yaml | 4 ++++ image/db/rhel/konflux.Dockerfile | 4 ++-- image/scanner/rhel/konflux.Dockerfile | 4 ++-- 7 files changed, 45 insertions(+), 4 deletions(-) diff --git a/.tekton/scanner-build.yaml b/.tekton/scanner-build.yaml index 789242dc2..b374d5620 100644 --- a/.tekton/scanner-build.yaml +++ b/.tekton/scanner-build.yaml @@ -53,6 +53,10 @@ spec: value: 'true' - name: blobs-to-fetch value: [ 'nvd-definitions.zip', 'k8s-definitions.zip', 'repo2cpe.zip', 'genesis_manifests.json' ] + - name: extra-labels + value: + # X.Y in the cpe label must be adjusted for every version stream. + - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8" workspaces: - name: git-auth diff --git a/.tekton/scanner-component-pipeline.yaml b/.tekton/scanner-component-pipeline.yaml index 1d14d5af0..2d523221a 100644 --- a/.tekton/scanner-component-pipeline.yaml +++ b/.tekton/scanner-component-pipeline.yaml @@ -120,6 +120,9 @@ spec: default: docker type: string description: The format for the resulting image's mediaType. Valid values are oci or docker. + - name: extra-labels + type: array + description: Additional labels to put on the built containers. results: - description: "" name: IMAGE_URL @@ -293,6 +296,10 @@ spec: value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - name: BUILDAH_FORMAT value: $(params.buildah-format) + - name: LABELS + value: ["$(params.extra-labels[*])"] + - name: BUILD_TIMESTAMP + value: "$(tasks.clone-repository.results.commit-timestamp)" taskRef: params: - name: name @@ -333,6 +340,12 @@ spec: value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - name: PLATFORM value: linux/s390x + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + - name: LABELS + value: ["$(params.extra-labels[*])"] + - name: BUILD_TIMESTAMP + value: "$(tasks.clone-repository.results.commit-timestamp)" taskRef: params: - name: name @@ -373,6 +386,12 @@ spec: value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - name: PLATFORM value: linux/ppc64le + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + - name: LABELS + value: ["$(params.extra-labels[*])"] + - name: BUILD_TIMESTAMP + value: "$(tasks.clone-repository.results.commit-timestamp)" taskRef: params: - name: name @@ -413,6 +432,12 @@ spec: value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - name: PLATFORM value: linux/arm64 + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + - name: LABELS + value: ["$(params.extra-labels[*])"] + - name: BUILD_TIMESTAMP + value: "$(tasks.clone-repository.results.commit-timestamp)" taskRef: params: - name: name diff --git a/.tekton/scanner-db-build.yaml b/.tekton/scanner-db-build.yaml index 2fe213873..e8bae4f6b 100644 --- a/.tekton/scanner-db-build.yaml +++ b/.tekton/scanner-db-build.yaml @@ -50,6 +50,10 @@ spec: value: 'true' - name: blobs-to-fetch value: [ 'pg-definitions.sql.gz' ] + - name: extra-labels + value: + # X.Y in the cpe label must be adjusted for every version stream. + - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8" workspaces: - name: git-auth diff --git a/.tekton/scanner-db-slim-build.yaml b/.tekton/scanner-db-slim-build.yaml index b6f8e3570..8cc0a9957 100644 --- a/.tekton/scanner-db-slim-build.yaml +++ b/.tekton/scanner-db-slim-build.yaml @@ -50,6 +50,10 @@ spec: value: 'true' - name: blobs-to-fetch value: [ ] + - name: extra-labels + value: + # X.Y in the cpe label must be adjusted for every version stream. + - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8" workspaces: - name: git-auth diff --git a/.tekton/scanner-slim-build.yaml b/.tekton/scanner-slim-build.yaml index 8a933d312..3da1a4b50 100644 --- a/.tekton/scanner-slim-build.yaml +++ b/.tekton/scanner-slim-build.yaml @@ -53,6 +53,10 @@ spec: value: 'true' - name: blobs-to-fetch value: [ 'nvd-definitions.zip', 'k8s-definitions.zip', 'repo2cpe.zip', 'genesis_manifests.json' ] + - name: extra-labels + value: + # X.Y in the cpe label must be adjusted for every version stream. + - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8" workspaces: - name: git-auth diff --git a/image/db/rhel/konflux.Dockerfile b/image/db/rhel/konflux.Dockerfile index b62082f00..f27ad372f 100644 --- a/image/db/rhel/konflux.Dockerfile +++ b/image/db/rhel/konflux.Dockerfile @@ -57,7 +57,7 @@ FROM scanner-db-common AS scanner-db-slim LABEL \ com.redhat.component="rhacs-scanner-db-slim-container" \ io.k8s.display-name="scanner-db-slim" \ - name="rhacs-scanner-db-slim-rhel8" + name="advanced-cluster-security/rhacs-scanner-db-slim-rhel8" ENV ROX_SLIM_MODE="true" @@ -67,7 +67,7 @@ FROM scanner-db-common AS scanner-db LABEL \ com.redhat.component="rhacs-scanner-db-container" \ io.k8s.display-name="scanner-db" \ - name="rhacs-scanner-db-rhel8" + name="advanced-cluster-security/rhacs-scanner-db-rhel8" COPY --chown=0:0 .konflux/scanner-data/blob-pg-definitions.sql.gz \ /docker-entrypoint-initdb.d/definitions.sql.gz diff --git a/image/scanner/rhel/konflux.Dockerfile b/image/scanner/rhel/konflux.Dockerfile index c580ba5de..3b3f8d2fa 100644 --- a/image/scanner/rhel/konflux.Dockerfile +++ b/image/scanner/rhel/konflux.Dockerfile @@ -85,7 +85,7 @@ FROM scanner-common AS scanner-slim LABEL \ com.redhat.component="rhacs-scanner-slim-container" \ io.k8s.display-name="scanner-slim" \ - name="rhacs-scanner-slim-rhel8" + name="advanced-cluster-security/rhacs-scanner-slim-rhel8" ENV ROX_SLIM_MODE="true" @@ -96,7 +96,7 @@ FROM scanner-common AS scanner LABEL \ com.redhat.component="rhacs-scanner-container" \ io.k8s.display-name="scanner" \ - name="rhacs-scanner-rhel8" + name="advanced-cluster-security/rhacs-scanner-rhel8" ENV NVD_DEFINITIONS_DIR="/nvd_definitions" ENV K8S_DEFINITIONS_DIR="/k8s_definitions" From 01b0c7ee8c6c0f99e49d211bc016d7faa82c761f Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Wed, 15 Oct 2025 12:01:18 +0200 Subject: [PATCH 2/3] Update `cpe` label --- .tekton/scanner-build.yaml | 2 +- .tekton/scanner-db-build.yaml | 2 +- .tekton/scanner-db-slim-build.yaml | 2 +- .tekton/scanner-slim-build.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.tekton/scanner-build.yaml b/.tekton/scanner-build.yaml index b374d5620..2e5b43837 100644 --- a/.tekton/scanner-build.yaml +++ b/.tekton/scanner-build.yaml @@ -56,7 +56,7 @@ spec: - name: extra-labels value: # X.Y in the cpe label must be adjusted for every version stream. - - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8" + - "cpe=cpe:/a:redhat:advanced_cluster_security:4.7::el8" workspaces: - name: git-auth diff --git a/.tekton/scanner-db-build.yaml b/.tekton/scanner-db-build.yaml index e8bae4f6b..2bde2fd86 100644 --- a/.tekton/scanner-db-build.yaml +++ b/.tekton/scanner-db-build.yaml @@ -53,7 +53,7 @@ spec: - name: extra-labels value: # X.Y in the cpe label must be adjusted for every version stream. - - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8" + - "cpe=cpe:/a:redhat:advanced_cluster_security:4.7::el8" workspaces: - name: git-auth diff --git a/.tekton/scanner-db-slim-build.yaml b/.tekton/scanner-db-slim-build.yaml index 8cc0a9957..8c9c1e55a 100644 --- a/.tekton/scanner-db-slim-build.yaml +++ b/.tekton/scanner-db-slim-build.yaml @@ -53,7 +53,7 @@ spec: - name: extra-labels value: # X.Y in the cpe label must be adjusted for every version stream. - - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8" + - "cpe=cpe:/a:redhat:advanced_cluster_security:4.7::el8" workspaces: - name: git-auth diff --git a/.tekton/scanner-slim-build.yaml b/.tekton/scanner-slim-build.yaml index 3da1a4b50..9d791c82b 100644 --- a/.tekton/scanner-slim-build.yaml +++ b/.tekton/scanner-slim-build.yaml @@ -56,7 +56,7 @@ spec: - name: extra-labels value: # X.Y in the cpe label must be adjusted for every version stream. - - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8" + - "cpe=cpe:/a:redhat:advanced_cluster_security:4.7::el8" workspaces: - name: git-auth From 075cf671e70b03a8b2b6bf0166e09b51779f7202 Mon Sep 17 00:00:00 2001 From: Misha Sugakov <537715+msugakov@users.noreply.github.com> Date: Mon, 13 Oct 2025 12:56:22 +0200 Subject: [PATCH 3/3] build: Add CPU limits to scanner builds (#2293) --- .tekton/scanner-build.yaml | 2 ++ .tekton/scanner-slim-build.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.tekton/scanner-build.yaml b/.tekton/scanner-build.yaml index 2e5b43837..832ac1527 100644 --- a/.tekton/scanner-build.yaml +++ b/.tekton/scanner-build.yaml @@ -72,6 +72,8 @@ spec: # This is not required for multi-arch builds, because they are performed off cluster - name: build computeResources: + limits: + cpu: 2 requests: cpu: 2 diff --git a/.tekton/scanner-slim-build.yaml b/.tekton/scanner-slim-build.yaml index 9d791c82b..a7391caf7 100644 --- a/.tekton/scanner-slim-build.yaml +++ b/.tekton/scanner-slim-build.yaml @@ -72,6 +72,8 @@ spec: # This is not required for multi-arch builds, because they are performed off cluster - name: build computeResources: + limits: + cpu: 2 requests: cpu: 2