Skip to content

ROX-30918, ROX-31049: Update labels, fix docker mediaType #2300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 15, 2025
Merged

ROX-30918, ROX-31049: Update labels, fix docker mediaType #2300

merged 4 commits into from
Oct 15, 2025

Conversation

@msugakov
Copy link
Contributor

@msugakov msugakov commented Oct 13, 2025
edited
Loading

Description

In this PR:

  1. I set cpe and name labels similar to as suggested in PRs from Ralph, e.g. chore(KONFLUX-6210): fix name label and set cpe label #2148.
  2. Set org.opencontainers.image.created label. This one is flagged as a warning by Conforma and so worth proactively addressing. It goes via BUILD_TIMESTAMP param. See the related thread.
  3. Fix media type that wasn't correctly set for multi-arch images see the Slack thread after this message. This one's done via BUILDAH_FORMAT param.

The PR can be reviewed by commits.

This PR is to backported to release branches (part of the same task).

Validation

  • Pulled images for each of 4 architectures as well as index image and inspected their labels.
  • cpe is there.
  • name is new.
  • org.opencontainers.image.created is there and looks valid.
  • Verified media type of 4 per-arch images and of index image.

Did this by looking at the output of the script provided below.

  • Verified Conforma does not flag missing SBOMs or something similar.

@openshift-ci
Copy link

openshift-ci bot commented Oct 13, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@msugakov msugakov force-pushed the misha/ROX-30918-update-labels branch from 7bbe967 to 11c0586 Compare October 13, 2025 13:44
@msugakov
Update name labels
9032562 
as proposed in #2148
@msugakov msugakov force-pushed the misha/ROX-30918-update-labels branch from 11c0586 to 0107ed6 Compare October 13, 2025 18:22
@msugakov
Apply cpe label
3b2de55 
I wired it through pipeline files and not dockerfiles because when
changing app, component and serviceaccount suffixes, it can also be
noticed and modified in the same place rather than chasing
konflux.Dockerfiles.
@msugakov
Populate org.opencontainers.image.created label
8e2f241 
via `BUILD_TIMESTAMP` param.
The label is currently highlighted as a warning by Conforma.
@msugakov
Populate BUILDAH_FORMAT where missing
85c1a10 
See https://redhat-internal.slack.com/archives/C04PZ7H0VA8/p1760438547286539?thread_ts=1758912510.784729&cid=C04PZ7H0VA8
This is part of https://issues.redhat.com/browse/ROX-31049
@msugakov msugakov force-pushed the misha/ROX-30918-update-labels branch from 0107ed6 to 85c1a10 Compare October 14, 2025 10:52
@stackrox stackrox deleted a comment from openshift-ci bot Oct 14, 2025
@stackrox stackrox deleted a comment from openshift-ci bot Oct 14, 2025
@msugakov
Copy link
Contributor Author

/retest

@msugakov msugakov changed the title ROX-30918: Update labels ROX-30918, ROX-31049: Update labels, fix docker mediaType Oct 14, 2025
@msugakov
Copy link
Contributor Author

msugakov commented Oct 14, 2025
edited
Loading

Checking mediaType

First, on image index.

For the new image

$ skopeo inspect --raw docker://quay.io/rhacs-eng/release-scanner-db:2.37.x-123-g85c1a10c2f-fast | jq | grep mediaType
  "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",

For some old image

$ skopeo inspect --raw docker://quay.io/rhacs-eng/release-scanner-db:2.37.x-86-g512e07171a-fast | jq | grep mediaType 
  "mediaType": "application/vnd.oci.image.index.v1+json",
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "mediaType": "application/vnd.oci.image.manifest.v1+json",

From there, one can check on per-arch images like this:

$ skopeo inspect --raw docker://quay.io/rhacs-eng/release-scanner-db:2.37.x-123-g85c1a10c2f-fast-arm64 | jq | grep mediaType                   
  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
    "mediaType": "application/vnd.docker.container.image.v1+json",
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",

$ skopeo inspect --raw docker://quay.io/rhacs-eng/release-scanner-db:2.37.x-86-g512e07171a-fast-arm64 | jq | grep mediaType 
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
    "mediaType": "application/vnd.oci.image.config.v1+json",
      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",

So we need to make sure there's .docker. and no .oci. for the new images.

@msugakov
Copy link
Contributor Author

Here's my "data dump" script:

#!/usr/bin/env bash

set -euo pipefail

tag="2.37.x-123-g85c1a10c2f-fast"
parent="quay.io/rhacs-eng"
repos=(release-scanner release-scanner-db release-scanner-slim release-scanner-db-slim)
arch_suffixes=(amd64 s390x ppc64le arm64)

echo " >>> Checking mediaType on indexes"

for repo in "${repos[@]}"; do
  index="${parent}/${repo}:${tag}"
  echo "  >>> on ${index}"
  skopeo inspect --raw "docker://${index}" | jq | grep mediaType
done

echo " >>> Checking mediaType on images"

for repo in "${repos[@]}"; do
  index="${parent}/${repo}:${tag}"

  for arch in "${arch_suffixes[@]}"; do
    image="${index}-${arch}"
    echo "  >>> on ${image}"
    skopeo inspect --raw "docker://${image}" | jq | grep mediaType
  done
done

echo " >>> Checking labels on images"

for repo in "${repos[@]}"; do
  index="${parent}/${repo}:${tag}"

  for arch in "${arch_suffixes[@]}"; do
    image="${index}-${arch}"
    echo "  >>> on ${image}"
    skopeo inspect --no-tags "docker://${image}" | grep -E '"(cpe|name|org.opencontainers.image.created)"'
  done
done

Ran it both stand-alone and looked in the output and as ./check.sh | sort | uniq -c also looking through the output.

@msugakov msugakov marked this pull request as ready for review October 15, 2025 08:22
@msugakov msugakov requested review from a team and rhacs-bot as code owners October 15, 2025 08:22
@msugakov msugakov requested a review from tommartensen October 15, 2025 08:22
tommartensen
tommartensen approved these changes Oct 15, 2025
View reviewed changes
.tekton/scanner-build.yaml
value: [ 'nvd-definitions.zip', 'k8s-definitions.zip', 'repo2cpe.zip', 'genesis_manifests.json' ]
- name: extra-labels
value:
# X.Y in the cpe label must be adjusted for every version stream.
Copy link
Contributor

@tommartensen tommartensen Oct 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[post-merge] This needs to be mentioned in the https://spaces.redhat.com/spaces/StackRox/pages/690979844/Upstream+Konflux+Release#Upstream+KonfluxRelease-update-version-in-reposPutversioninKonfluxpipelinesandDockerfiles

@openshift-ci
Copy link

openshift-ci bot commented Oct 15, 2025

@msugakov: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-tests 85c1a10 link false /test e2e-tests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@msugakov msugakov merged commit 8fa4cc7 into master Oct 15, 2025
32 of 38 checks passed
@msugakov msugakov deleted the misha/ROX-30918-update-labels branch October 15, 2025 09:39
msugakov added a commit that referenced this pull request Oct 15, 2025
@msugakov
ROX-30918, ROX-31049: Update labels, fix docker mediaType (#2300)
bd0ba19
@msugakov msugakov mentioned this pull request Oct 15, 2025
Merged
msugakov added a commit that referenced this pull request Oct 15, 2025
@msugakov
ROX-30918, ROX-31049: Update labels, fix docker mediaType (#2300)
d5f0fba
@msugakov msugakov mentioned this pull request Oct 15, 2025
Merged
msugakov added a commit that referenced this pull request Oct 15, 2025
@msugakov
ROX-30918, ROX-31049: Update labels, fix docker mediaType (#2300)
36f3f0a
@msugakov msugakov mentioned this pull request Oct 15, 2025
Merged
This was referenced Oct 15, 2025
Merged
Merged
Closed
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tommartensen tommartensen tommartensen approved these changes

@rhacs-bot rhacs-bot Awaiting requested review from rhacs-bot rhacs-bot is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@msugakov @tommartensen