From 1a702189f4e010f3f6cf5472e39398da379a0cd0 Mon Sep 17 00:00:00 2001
From: davdhacs <105243888+davdhacs@users.noreply.github.com>
Date: Wed, 18 Feb 2026 14:01:52 -0700
Subject: [PATCH 1/6] chore(build): Migrate scanner images to UBI9/RHEL9

Migrate all scanner base images from UBI8/RHEL8 to UBI9/RHEL9:

Konflux base images:
- Builder: openshift-golang-builder:rhel_9_golang_1.25
- Scanner runtime: ubi9-minimal
- Scanner DB: rhel9/postgresql-15

Non-Konflux base images:
- Scanner: ubi9-minimal
- Scanner DB: ubi9 / ubi9-minimal
- Vulnerabilities: ubi9-minimal

Other updates:
- Tekton CPE labels: el8 -> el9
- rpms.lock.yaml: xz updated to RHEL 9 version (5.2.5-8.el9_0)
- rpms.rhel.repo: RHEL 8 repos -> RHEL 9 repos
- PostgreSQL download script: pg_rhel_major=9
- Image name labels: rhel8 -> rhel9
- microdnf install -y xz (explicit -y for UBI9 compatibility)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .tekton/scanner-build.yaml            |  2 +-
 .tekton/scanner-db-build.yaml         |  2 +-
 .tekton/scanner-db-slim-build.yaml    |  2 +-
 .tekton/scanner-slim-build.yaml       |  2 +-
 image/db/rhel/Dockerfile              |  4 +-
 image/db/rhel/Dockerfile.slim         |  4 +-
 image/db/rhel/konflux.Dockerfile      |  6 +-
 image/db/rhel/scripts/download.sh     |  2 +-
 image/scanner/rhel/Dockerfile         |  2 +-
 image/scanner/rhel/Dockerfile.slim    |  2 +-
 image/scanner/rhel/konflux.Dockerfile | 10 +--
 image/vulnerabilities/Dockerfile      |  2 +-
 rpms.lock.yaml                        | 88 +++++++++++++--------------
 rpms.rhel.repo                        | 13 ++--
 14 files changed, 71 insertions(+), 70 deletions(-)

diff --git a/.tekton/scanner-build.yaml b/.tekton/scanner-build.yaml
index b46fedc05..451b659c8 100644
--- a/.tekton/scanner-build.yaml
+++ b/.tekton/scanner-build.yaml
@@ -56,7 +56,7 @@ spec:
   - name: extra-labels
     value:
     # X.Y in the cpe label must be adjusted for every version stream.
-    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
+    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el9"
 
   workspaces:
   - name: git-auth
diff --git a/.tekton/scanner-db-build.yaml b/.tekton/scanner-db-build.yaml
index 14bc422c7..352923dbe 100644
--- a/.tekton/scanner-db-build.yaml
+++ b/.tekton/scanner-db-build.yaml
@@ -53,7 +53,7 @@ spec:
   - name: extra-labels
     value:
     # X.Y in the cpe label must be adjusted for every version stream.
-    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
+    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el9"
 
   workspaces:
   - name: git-auth
diff --git a/.tekton/scanner-db-slim-build.yaml b/.tekton/scanner-db-slim-build.yaml
index f08620c78..4c25a3a19 100644
--- a/.tekton/scanner-db-slim-build.yaml
+++ b/.tekton/scanner-db-slim-build.yaml
@@ -53,7 +53,7 @@ spec:
   - name: extra-labels
     value:
     # X.Y in the cpe label must be adjusted for every version stream.
-    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
+    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el9"
 
   workspaces:
   - name: git-auth
diff --git a/.tekton/scanner-slim-build.yaml b/.tekton/scanner-slim-build.yaml
index 3b6d12a18..d4e293c92 100644
--- a/.tekton/scanner-slim-build.yaml
+++ b/.tekton/scanner-slim-build.yaml
@@ -56,7 +56,7 @@ spec:
   - name: extra-labels
     value:
     # X.Y in the cpe label must be adjusted for every version stream.
-    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
+    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el9"
 
   workspaces:
   - name: git-auth
diff --git a/image/db/rhel/Dockerfile b/image/db/rhel/Dockerfile
index 6e6439705..bffbfc43f 100644
--- a/image/db/rhel/Dockerfile
+++ b/image/db/rhel/Dockerfile
@@ -1,9 +1,9 @@
 ARG RPMS_REGISTRY=registry.access.redhat.com
-ARG RPMS_BASE_IMAGE=ubi8
+ARG RPMS_BASE_IMAGE=ubi9
 ARG RPMS_BASE_TAG=latest
 
 ARG BASE_REGISTRY=registry.access.redhat.com
-ARG BASE_IMAGE=ubi8-minimal
+ARG BASE_IMAGE=ubi9-minimal
 ARG BASE_TAG=latest
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle
diff --git a/image/db/rhel/Dockerfile.slim b/image/db/rhel/Dockerfile.slim
index 8352a1add..8e3bb7d34 100644
--- a/image/db/rhel/Dockerfile.slim
+++ b/image/db/rhel/Dockerfile.slim
@@ -1,9 +1,9 @@
 ARG RPMS_REGISTRY=registry.access.redhat.com
-ARG RPMS_BASE_IMAGE=ubi8
+ARG RPMS_BASE_IMAGE=ubi9
 ARG RPMS_BASE_TAG=latest
 
 ARG BASE_REGISTRY=registry.access.redhat.com
-ARG BASE_IMAGE=ubi8-minimal
+ARG BASE_IMAGE=ubi9-minimal
 ARG BASE_TAG=latest
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle
diff --git a/image/db/rhel/konflux.Dockerfile b/image/db/rhel/konflux.Dockerfile
index d9642f550..ad82c2f9d 100644
--- a/image/db/rhel/konflux.Dockerfile
+++ b/image/db/rhel/konflux.Dockerfile
@@ -1,4 +1,4 @@
-FROM registry.redhat.io/rhel8/postgresql-15:latest@sha256:94182920a14a5175523d40c1bdf1168eaabbb6b494eda0519d3a87916ba937d6 AS scanner-db-common
+FROM registry.redhat.io/rhel9/postgresql-15:latest@sha256:cba1417b7e8a5b55289aa951c48dc940c72ebea5380045f32cd8faba41937f9b AS scanner-db-common
 
 ARG SCANNER_TAG
 RUN if [[ "$SCANNER_TAG" == "" ]]; then >&2 echo "error: required SCANNER_TAG arg is unset"; exit 6; fi
@@ -57,7 +57,7 @@ FROM scanner-db-common AS scanner-db-slim
 LABEL \
     com.redhat.component="rhacs-scanner-db-slim-container" \
     io.k8s.display-name="scanner-db-slim" \
-    name="advanced-cluster-security/rhacs-scanner-db-slim-rhel8"
+    name="advanced-cluster-security/rhacs-scanner-db-slim-rhel9"
 
 ENV ROX_SLIM_MODE="true"
 
@@ -67,7 +67,7 @@ FROM scanner-db-common AS scanner-db
 LABEL \
     com.redhat.component="rhacs-scanner-db-container" \
     io.k8s.display-name="scanner-db" \
-    name="advanced-cluster-security/rhacs-scanner-db-rhel8"
+    name="advanced-cluster-security/rhacs-scanner-db-rhel9"
 
 COPY --chown=0:0 .konflux/scanner-data/blob-pg-definitions.sql.gz \
      /docker-entrypoint-initdb.d/definitions.sql.gz
diff --git a/image/db/rhel/scripts/download.sh b/image/db/rhel/scripts/download.sh
index 065310e08..f64470109 100755
--- a/image/db/rhel/scripts/download.sh
+++ b/image/db/rhel/scripts/download.sh
@@ -4,7 +4,7 @@ set -euo pipefail
 
 # If this is updated, be sure to update PG_MAJOR in the Dockerfile and the signature file.
 postgres_major=15
-pg_rhel_major=8
+pg_rhel_major=9
 
 arch="$(uname -m)"
 dnf_list_args=()
diff --git a/image/scanner/rhel/Dockerfile b/image/scanner/rhel/Dockerfile
index 2b3cb90f5..1ba00a553 100644
--- a/image/scanner/rhel/Dockerfile
+++ b/image/scanner/rhel/Dockerfile
@@ -1,5 +1,5 @@
 ARG BASE_REGISTRY=registry.access.redhat.com
-ARG BASE_IMAGE=ubi8-minimal
+ARG BASE_IMAGE=ubi9-minimal
 ARG BASE_TAG=latest
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle
diff --git a/image/scanner/rhel/Dockerfile.slim b/image/scanner/rhel/Dockerfile.slim
index ee992eb92..23960a08a 100644
--- a/image/scanner/rhel/Dockerfile.slim
+++ b/image/scanner/rhel/Dockerfile.slim
@@ -1,5 +1,5 @@
 ARG BASE_REGISTRY=registry.access.redhat.com
-ARG BASE_IMAGE=ubi8-minimal
+ARG BASE_IMAGE=ubi9-minimal
 ARG BASE_TAG=latest
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle
diff --git a/image/scanner/rhel/konflux.Dockerfile b/image/scanner/rhel/konflux.Dockerfile
index 2ce23a266..2a2c7a1ad 100644
--- a/image/scanner/rhel/konflux.Dockerfile
+++ b/image/scanner/rhel/konflux.Dockerfile
@@ -1,5 +1,5 @@
 # Compiling scanner binaries and staging repo2cpe and genesis manifests
-FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_golang_1.25@sha256:aa03597ee8c7594ffecef5cbb6a0f059d362259d2a41225617b27ec912a3d0d3 AS builder
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.25@sha256:bd531796aacb86e4f97443797262680fbf36ca048717c00b6f4248465e1a7c0c AS builder
 
 ARG SCANNER_TAG
 RUN if [[ "$SCANNER_TAG" == "" ]]; then >&2 echo "error: required SCANNER_TAG arg is unset"; exit 6; fi
@@ -28,7 +28,7 @@ COPY .konflux/scanner-data/blob-genesis_manifests.json image/scanner/dump/genesi
 
 
 # Common base for scanner slim and full
-FROM registry.access.redhat.com/ubi8-minimal:latest@sha256:48adecc91f276734fa51987bc2203a31db9ba87a512c436c0a3fcac53135378d AS scanner-common
+FROM registry.access.redhat.com/ubi9-minimal:latest@sha256:c7d44146f826037f6873d99da479299b889473492d3c1ab8af86f08af04ec8a0 AS scanner-common
 
 ARG SCANNER_TAG
 
@@ -59,7 +59,7 @@ COPY --chown=65534:65534 --from=builder /src/image/scanner/dump/genesis_manifest
 
 COPY LICENSE /licenses/LICENSE
 
-RUN microdnf install xz && \
+RUN microdnf install -y xz && \
     microdnf clean all && \
     # (Optional) Remove line below to keep package management utilities
     # We don't uninstall rpm because scanner uses it to get packages installed in scanned images.
@@ -85,7 +85,7 @@ FROM scanner-common AS scanner-slim
 LABEL \
     com.redhat.component="rhacs-scanner-slim-container" \
     io.k8s.display-name="scanner-slim" \
-    name="advanced-cluster-security/rhacs-scanner-slim-rhel8"
+    name="advanced-cluster-security/rhacs-scanner-slim-rhel9"
 
 ENV ROX_SLIM_MODE="true"
 
@@ -96,7 +96,7 @@ FROM scanner-common AS scanner
 LABEL \
     com.redhat.component="rhacs-scanner-container" \
     io.k8s.display-name="scanner" \
-    name="advanced-cluster-security/rhacs-scanner-rhel8"
+    name="advanced-cluster-security/rhacs-scanner-rhel9"
 
 ENV NVD_DEFINITIONS_DIR="/nvd_definitions"
 ENV K8S_DEFINITIONS_DIR="/k8s_definitions"
diff --git a/image/vulnerabilities/Dockerfile b/image/vulnerabilities/Dockerfile
index 6a80b3529..2fd60c4bd 100644
--- a/image/vulnerabilities/Dockerfile
+++ b/image/vulnerabilities/Dockerfile
@@ -1,5 +1,5 @@
 ARG BASE_REGISTRY=registry.access.redhat.com
-ARG BASE_IMAGE=ubi8-minimal
+ARG BASE_IMAGE=ubi9-minimal
 ARG BASE_TAG=latest
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
diff --git a/rpms.lock.yaml b/rpms.lock.yaml
index f210c9ecf..e343b7586 100644
--- a/rpms.lock.yaml
+++ b/rpms.lock.yaml
@@ -4,69 +4,69 @@ lockfileVendor: redhat
 arches:
 - arch: aarch64
   packages:
-  - url: https://cdn.redhat.com/content/dist/rhel8/8/aarch64/baseos/os/Packages/x/xz-5.2.4-4.el8_6.aarch64.rpm
-    repoid: rhel-8-for-aarch64-baseos-rpms
-    size: 156276
-    checksum: sha256:342a2504cb34c9a5c1d43906f534cb1f3bf1de58ac517d575cff57053d04ab00
+  - url: https://cdn.redhat.com/content/dist/rhel9/9/aarch64/baseos/os/Packages/x/xz-5.2.5-8.el9_0.aarch64.rpm
+    repoid: rhel-9-for-aarch64-baseos-rpms
+    size: 235798
+    checksum: sha256:26ac21be6c1e396c7bcbaa9d4786e3275e996d9d78c01f75bbbc6962e6c9bef7
     name: xz
-    evr: 5.2.4-4.el8_6
-    sourcerpm: xz-5.2.4-4.el8_6.src.rpm
+    evr: 5.2.5-8.el9_0
+    sourcerpm: xz-5.2.5-8.el9_0.src.rpm
   source:
-  - url: https://cdn.redhat.com/content/dist/rhel8/8/aarch64/baseos/source/SRPMS/Packages/x/xz-5.2.4-4.el8_6.src.rpm
-    repoid: rhel-8-for-aarch64-baseos-source-rpms
-    size: 1077113
-    checksum: sha256:7914b320eefa2db6dad68e5f01e99f8e661072a1f13acb3d19cba8c1295ae40a
+  - url: https://cdn.redhat.com/content/dist/rhel9/9/aarch64/baseos/source/SRPMS/Packages/x/xz-5.2.5-8.el9_0.src.rpm
+    repoid: rhel-9-for-aarch64-baseos-source-rpms
+    size: 1168293
+    checksum: sha256:bce98f3a307e75a8ac28f909e29b41d64b15461fa9ddf0bf4ef3c2f6de946b46
     name: xz
-    evr: 5.2.4-4.el8_6
+    evr: 5.2.5-8.el9_0
   module_metadata: []
 - arch: ppc64le
   packages:
-  - url: https://cdn.redhat.com/content/dist/rhel8/8/ppc64le/baseos/os/Packages/x/xz-5.2.4-4.el8_6.ppc64le.rpm
-    repoid: rhel-8-for-ppc64le-baseos-rpms
-    size: 162264
-    checksum: sha256:80d2fc754452ae52b3b36504e5cceb5cd5435a97999351402ae7a28298592a01
+  - url: https://cdn.redhat.com/content/dist/rhel9/9/ppc64le/baseos/os/Packages/x/xz-5.2.5-8.el9_0.ppc64le.rpm
+    repoid: rhel-9-for-ppc64le-baseos-rpms
+    size: 243215
+    checksum: sha256:44cd014634f8a5cb83aff336500b0f2e3bec156a34e7da09e0ae6ef4b5e26467
     name: xz
-    evr: 5.2.4-4.el8_6
-    sourcerpm: xz-5.2.4-4.el8_6.src.rpm
+    evr: 5.2.5-8.el9_0
+    sourcerpm: xz-5.2.5-8.el9_0.src.rpm
   source:
-  - url: https://cdn.redhat.com/content/dist/rhel8/8/ppc64le/baseos/source/SRPMS/Packages/x/xz-5.2.4-4.el8_6.src.rpm
-    repoid: rhel-8-for-ppc64le-baseos-source-rpms
-    size: 1077113
-    checksum: sha256:7914b320eefa2db6dad68e5f01e99f8e661072a1f13acb3d19cba8c1295ae40a
+  - url: https://cdn.redhat.com/content/dist/rhel9/9/ppc64le/baseos/source/SRPMS/Packages/x/xz-5.2.5-8.el9_0.src.rpm
+    repoid: rhel-9-for-ppc64le-baseos-source-rpms
+    size: 1168293
+    checksum: sha256:bce98f3a307e75a8ac28f909e29b41d64b15461fa9ddf0bf4ef3c2f6de946b46
     name: xz
-    evr: 5.2.4-4.el8_6
+    evr: 5.2.5-8.el9_0
   module_metadata: []
 - arch: s390x
   packages:
-  - url: https://cdn.redhat.com/content/dist/rhel8/8/s390x/baseos/os/Packages/x/xz-5.2.4-4.el8_6.s390x.rpm
-    repoid: rhel-8-for-s390x-baseos-rpms
-    size: 155012
-    checksum: sha256:7fb678077d965dd6aeb09df28ce05cba9c22e4110d4b52f1ee43986beb87a5ff
+  - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/baseos/os/Packages/x/xz-5.2.5-8.el9_0.s390x.rpm
+    repoid: rhel-9-for-s390x-baseos-rpms
+    size: 234632
+    checksum: sha256:c06f44e6fb5a0a1fbf3c052d065b6336c3d17cedbc796260cf0c097b98326906
     name: xz
-    evr: 5.2.4-4.el8_6
-    sourcerpm: xz-5.2.4-4.el8_6.src.rpm
+    evr: 5.2.5-8.el9_0
+    sourcerpm: xz-5.2.5-8.el9_0.src.rpm
   source:
-  - url: https://cdn.redhat.com/content/dist/rhel8/8/s390x/baseos/source/SRPMS/Packages/x/xz-5.2.4-4.el8_6.src.rpm
-    repoid: rhel-8-for-s390x-baseos-source-rpms
-    size: 1077113
-    checksum: sha256:7914b320eefa2db6dad68e5f01e99f8e661072a1f13acb3d19cba8c1295ae40a
+  - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/baseos/source/SRPMS/Packages/x/xz-5.2.5-8.el9_0.src.rpm
+    repoid: rhel-9-for-s390x-baseos-source-rpms
+    size: 1168293
+    checksum: sha256:bce98f3a307e75a8ac28f909e29b41d64b15461fa9ddf0bf4ef3c2f6de946b46
     name: xz
-    evr: 5.2.4-4.el8_6
+    evr: 5.2.5-8.el9_0
   module_metadata: []
 - arch: x86_64
   packages:
-  - url: https://cdn.redhat.com/content/dist/rhel8/8/x86_64/baseos/os/Packages/x/xz-5.2.4-4.el8_6.x86_64.rpm
-    repoid: rhel-8-for-x86_64-baseos-rpms
-    size: 156884
-    checksum: sha256:fa4ceb20dbf23e9408a6446fefc4b709bc85e0bc563ca423569bbe08ecee2c5e
+  - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/os/Packages/x/xz-5.2.5-8.el9_0.x86_64.rpm
+    repoid: rhel-9-for-x86_64-baseos-rpms
+    size: 235693
+    checksum: sha256:f16d17c26a241400586ddc3d734ce863e3f19d433881ec640a47bedf0dafd07b
     name: xz
-    evr: 5.2.4-4.el8_6
-    sourcerpm: xz-5.2.4-4.el8_6.src.rpm
+    evr: 5.2.5-8.el9_0
+    sourcerpm: xz-5.2.5-8.el9_0.src.rpm
   source:
-  - url: https://cdn.redhat.com/content/dist/rhel8/8/x86_64/baseos/source/SRPMS/Packages/x/xz-5.2.4-4.el8_6.src.rpm
-    repoid: rhel-8-for-x86_64-baseos-source-rpms
-    size: 1077113
-    checksum: sha256:7914b320eefa2db6dad68e5f01e99f8e661072a1f13acb3d19cba8c1295ae40a
+  - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/source/SRPMS/Packages/x/xz-5.2.5-8.el9_0.src.rpm
+    repoid: rhel-9-for-x86_64-baseos-source-rpms
+    size: 1168293
+    checksum: sha256:bce98f3a307e75a8ac28f909e29b41d64b15461fa9ddf0bf4ef3c2f6de946b46
     name: xz
-    evr: 5.2.4-4.el8_6
+    evr: 5.2.5-8.el9_0
   module_metadata: []
diff --git a/rpms.rhel.repo b/rpms.rhel.repo
index 62d56d521..43f110283 100644
--- a/rpms.rhel.repo
+++ b/rpms.rhel.repo
@@ -1,6 +1,6 @@
-[rhel-8-for-$basearch-baseos-rpms]
-name = Red Hat Enterprise Linux 8 for $basearch - BaseOS (RPMs)
-baseurl = https://cdn.redhat.com/content/dist/rhel8/8/$basearch/baseos/os
+[rhel-9-for-$basearch-baseos-rpms]
+name = Red Hat Enterprise Linux 9 for $basearch - BaseOS (RPMs)
+baseurl = https://cdn.redhat.com/content/dist/rhel9/9/$basearch/baseos/os
 enabled = 1
 gpgcheck = 1
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
@@ -12,9 +12,9 @@ sslverifystatus = 1
 metadata_expire = 86400
 enabled_metadata = 1
 
-[rhel-8-for-$basearch-baseos-source-rpms]
-name = Red Hat Enterprise Linux 8 for $basearch - BaseOS (Source RPMs)
-baseurl = https://cdn.redhat.com/content/dist/rhel8/8/$basearch/baseos/source/SRPMS
+[rhel-9-for-$basearch-baseos-source-rpms]
+name = Red Hat Enterprise Linux 9 for $basearch - BaseOS (Source RPMs)
+baseurl = https://cdn.redhat.com/content/dist/rhel9/9/$basearch/baseos/source/SRPMS
 enabled = 1
 gpgcheck = 1
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
@@ -25,3 +25,4 @@ sslclientcert = $SSL_CLIENT_CERT
 sslverifystatus = 1
 metadata_expire = 86400
 enabled_metadata = 0
+

From b3addf35a42cf21af47fb0d4208aadced5e6bdd0 Mon Sep 17 00:00:00 2001
From: davdhacs <105243888+davdhacs@users.noreply.github.com>
Date: Wed, 18 Feb 2026 14:01:59 -0700
Subject: [PATCH 2/6] fix: Add update-ca-trust workaround for unprivileged
 containers

In UBI9, update-ca-trust fails when running as an unprivileged user
(nobody:nobody) because it attempts to write to system-wide paths.
Use the -o flag to specify a user-writable output directory.

Also switch restore-all-dir-contents to use --no-clobber to avoid
overwriting CA trust files that were already updated at runtime.

See: https://bugzilla.redhat.com/show_bug.cgi?id=2241240

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 image/scanner/scripts/import-additional-cas    | 4 +++-
 image/scanner/scripts/restore-all-dir-contents | 2 +-
 image/scanner/scripts/trust-root-ca            | 5 ++++-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/image/scanner/scripts/import-additional-cas b/image/scanner/scripts/import-additional-cas
index e89f28a71..72a2ce832 100755
--- a/image/scanner/scripts/import-additional-cas
+++ b/image/scanner/scripts/import-additional-cas
@@ -19,4 +19,6 @@ copy_existing /usr/local/share/ca-certificates
 # Copy the custom trusted CA bundles injected by the Openshift Network Operator.
 copy_existing /etc/pki/injected-ca-trust
 
-update-ca-trust extract
+# The -o flag is required for running as an unprivileged user in containers.
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=2241240
+update-ca-trust extract -o /etc/pki/ca-trust/extracted
diff --git a/image/scanner/scripts/restore-all-dir-contents b/image/scanner/scripts/restore-all-dir-contents
index 360168578..b9e661a77 100755
--- a/image/scanner/scripts/restore-all-dir-contents
+++ b/image/scanner/scripts/restore-all-dir-contents
@@ -4,4 +4,4 @@ set -euo pipefail
 
 [ -d /.init-dirs ] || exit 0
 
-cp -rfP /.init-dirs/* /
+cp --recursive --no-dereference --no-clobber /.init-dirs/* /
diff --git a/image/scanner/scripts/trust-root-ca b/image/scanner/scripts/trust-root-ca
index 78eb99cd1..3fd0b700f 100755
--- a/image/scanner/scripts/trust-root-ca
+++ b/image/scanner/scripts/trust-root-ca
@@ -6,4 +6,7 @@ CA_PATH="/run/secrets/stackrox.io/certs/ca.pem"
 
 # For RHEL
 cp "${CA_PATH}" /etc/pki/ca-trust/source/anchors/root-ca.pem
-update-ca-trust
+
+# The -o flag is required for running as an unprivileged user in containers.
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=2241240
+update-ca-trust extract -o /etc/pki/ca-trust/extracted

From 46d33f643971c3231dcb72d76be0fb106fa93c77 Mon Sep 17 00:00:00 2001
From: davdhacs <105243888+davdhacs@users.noreply.github.com>
Date: Wed, 18 Feb 2026 15:00:59 -0700
Subject: [PATCH 3/6] empty commit


From 16b9bd59d63180e065559f54cd045b55316fc435 Mon Sep 17 00:00:00 2001
From: davdhacs <105243888+davdhacs@users.noreply.github.com>
Date: Mon, 9 Mar 2026 09:37:29 -0600
Subject: [PATCH 4/6] test: Unpin s390x PostgreSQL version (ROX-30647)

Remove the pinned PostgreSQL 16.8-1 version for s390x to test whether
the openssl-libs dependency issue has been resolved in current UBI9.

See: ROX-30647
---
 image/db/rhel/scripts/download.sh | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/image/db/rhel/scripts/download.sh b/image/db/rhel/scripts/download.sh
index f64470109..2ef15d90b 100755
--- a/image/db/rhel/scripts/download.sh
+++ b/image/db/rhel/scripts/download.sh
@@ -15,11 +15,10 @@ output_dir="/rpms"
 mkdir $output_dir
 
 if [[ "$arch" == "s390x" ]]; then
-  # TODO(ROX-30647): Builds are failing due to UBI9:latest not containing the
-  #  necessary version of openssl-libs to build postgresql-contrib.
-  pg_build_version="0:16.8-1.module_el9+1209+bd6e4013.s390x"
+  # PostgreSQL.org does not publish packages for s390x, so we use the RHEL
+  # module repos instead (PostgreSQL 16, since 15 is not available as a module).
   dnf module enable -y postgresql:16
-  dnf install -y --downloadonly --downloaddir=/tmp "postgresql-${pg_build_version}" "postgresql-private-libs-${pg_build_version}" "postgresql-server-${pg_build_version}" "postgresql-contrib-${pg_build_version}"
+  dnf install -y --downloadonly --downloaddir=/tmp postgresql postgresql-private-libs postgresql-server postgresql-contrib
   mv /tmp/postgresql-contrib-*.rpm "${output_dir}/postgres-contrib.rpm"
   mv /tmp/postgresql-server-*.rpm "${output_dir}/postgres-server.rpm"
   mv /tmp/postgresql-private-libs-*.rpm "${output_dir}/postgres-libs.rpm"

From 0b3fe6b423424fe5fdc90a2cac8707d9000a163c Mon Sep 17 00:00:00 2001
From: davdhacs <105243888+davdhacs@users.noreply.github.com>
Date: Mon, 9 Mar 2026 09:46:56 -0600
Subject: [PATCH 5/6] trigger CI


From 3fe5233a60afa783ac09de6429cea8e28abd787b Mon Sep 17 00:00:00 2001
From: davdhacs <105243888+davdhacs@users.noreply.github.com>
Date: Mon, 9 Mar 2026 12:05:23 -0600
Subject: [PATCH 6/6] fix: Update CVE descriptions to match current NVD feed

Remove trailing newlines from CVE-2020-1045 and CVE-2020-1597
descriptions that were updated in the NVD feed.
---
 e2etests/testcase_test.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/e2etests/testcase_test.go b/e2etests/testcase_test.go
index dbefbceb3..63a267469 100644
--- a/e2etests/testcase_test.go
+++ b/e2etests/testcase_test.go
@@ -1351,7 +1351,7 @@ var testCases = []testCase{
 					},
 					{
 						Name:        "CVE-2020-1045",
-						Description: "<p>A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.</p>\n<p>The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.</p>\n<p>The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names.</p>\n",
+						Description: "<p>A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.</p>\n<p>The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.</p>\n<p>The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names.</p>",
 						Link:        "https://nvd.nist.gov/vuln/detail/CVE-2020-1045",
 						Metadata: map[string]interface{}{
 							"NVD": map[string]interface{}{
@@ -1402,7 +1402,7 @@ var testCases = []testCase{
 					},
 					{
 						Name:        "CVE-2020-1597",
-						Description: "A denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.\nA remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application.\nThe update addresses the vulnerability by correcting how the ASP.NET Core web application handles web requests.\n",
+						Description: "A denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.\nA remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application.\nThe update addresses the vulnerability by correcting how the ASP.NET Core web application handles web requests.",
 						Link:        "https://nvd.nist.gov/vuln/detail/CVE-2020-1597",
 						Metadata: map[string]interface{}{
 							"NVD": map[string]interface{}{