add support for build lifecycle and rhel7

stackrox · Jan 21, 2025 · 1e82e6d · 1e82e6d
1 parent a767327
commit 1e82e6d
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 4 deletions.
diff --git a/policies/ubi-versions.json b/policies/ubi-versions.json
@@ -3,14 +3,15 @@
         {
             "id": "53e1d1fb-bc1e-4ef3-98c3-8df0dd5679b8",
             "name": "UBI version compliance",
-            "description": "All  images on the cluster using the Red Hat Universal Base Image (UBI) must use at least versions 8.5 or 9.3",
+            "description": "All  images on the cluster using the Red Hat Universal Base Image (UBI) must use at least versions  8.5 or 9.3",
             "rationale": "Using an older UBI image potentially exposes the workload to additional vulnerabilities",
             "remediation": "Update the base image to at least UBI 8.5 or 9.3",
             "disabled": true,
             "categories": [
                 "Package Management"
             ],
             "lifecycleStages": [
+                "BUILD",
                 "DEPLOY"
             ],
             "eventSource": "NOT_APPLICABLE",
@@ -66,7 +67,7 @@
                                     "value": "redhat-release=9\\.[0-2]-[0-9]+(?:\\.[0-9]+)?\\.el9"
                                 },
                                 {
-                                    "value": "redhat-release=[6-7].*"
+                                    "value": "redhat-release-server=7.*"
                                 }
                             ]
                         }

diff --git a/util-scripts/ubi-versions/ubi-versions.sh b/util-scripts/ubi-versions/ubi-versions.sh
@@ -62,8 +62,8 @@ for deployment_id in $(echo "${res}" | jq -r .alerts[].deployment.id); do
        image_name="$(echo "${image_res}" | jq -rc '.name.fullName')"
        export image_name
 
-       # find the redhat-release version and format lines
-       export ubi_version="$(echo  "${image_res}" | jq '.scan.components[] | select(.name=="redhat-release") | .version'| grep -o '[0-9]\.[0-9]\+' | head -1 )"
+       # find the redhat-release (UBI 8/9) or redhat-release-server (UBI 7) version and format lines
+       export ubi_version="$(echo  "${image_res}" | jq '.scan.components[] | select(.name=="redhat-release" or .name=="redhat-release-server") | .version'| grep -o '[0-9]\.[0-9]\+' | head -1 )"
        echo "${clusterName},${namespace},${deployment_name},${image_name},${ubi_version}" >> "${output_file}"
      fi
    done