diff --git a/policies/ubi-versions.json b/policies/ubi-versions.json index 5b9045f..b23e100 100755 --- a/policies/ubi-versions.json +++ b/policies/ubi-versions.json @@ -3,7 +3,7 @@ { "id": "53e1d1fb-bc1e-4ef3-98c3-8df0dd5679b8", "name": "UBI version compliance", - "description": "All images on the cluster using the Red Hat Universal Base Image (UBI) must use at least versions 8.5 or 9.3", + "description": "All images on the cluster using the Red Hat Universal Base Image (UBI) must use at least versions 8.5 or 9.3", "rationale": "Using an older UBI image potentially exposes the workload to additional vulnerabilities", "remediation": "Update the base image to at least UBI 8.5 or 9.3", "disabled": true, @@ -11,6 +11,7 @@ "Package Management" ], "lifecycleStages": [ + "BUILD", "DEPLOY" ], "eventSource": "NOT_APPLICABLE", @@ -66,7 +67,7 @@ "value": "redhat-release=9\\.[0-2]-[0-9]+(?:\\.[0-9]+)?\\.el9" }, { - "value": "redhat-release=[6-7].*" + "value": "redhat-release-server=7.*" } ] } diff --git a/util-scripts/ubi-versions/ubi-versions.sh b/util-scripts/ubi-versions/ubi-versions.sh index a653c24..8b5d873 100755 --- a/util-scripts/ubi-versions/ubi-versions.sh +++ b/util-scripts/ubi-versions/ubi-versions.sh @@ -62,8 +62,8 @@ for deployment_id in $(echo "${res}" | jq -r .alerts[].deployment.id); do image_name="$(echo "${image_res}" | jq -rc '.name.fullName')" export image_name - # find the redhat-release version and format lines - export ubi_version="$(echo "${image_res}" | jq '.scan.components[] | select(.name=="redhat-release") | .version'| grep -o '[0-9]\.[0-9]\+' | head -1 )" + # find the redhat-release (UBI 8/9) or redhat-release-server (UBI 7) version and format lines + export ubi_version="$(echo "${image_res}" | jq '.scan.components[] | select(.name=="redhat-release" or .name=="redhat-release-server") | .version'| grep -o '[0-9]\.[0-9]\+' | head -1 )" echo "${clusterName},${namespace},${deployment_name},${image_name},${ubi_version}" >> "${output_file}" fi done