chore(base-image): Migrate builds to UBI9/RHEL9

.tekton/scanner-build.yaml

@@ -56,7 +56,7 @@ spec:
   - name: extra-labels
     value:
     # X.Y in the cpe label must be adjusted for every version stream.
-    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
+    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el9"
 
   workspaces:
   - name: git-auth

.tekton/scanner-db-build.yaml

@@ -53,7 +53,7 @@ spec:
   - name: extra-labels
     value:
     # X.Y in the cpe label must be adjusted for every version stream.
-    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
+    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el9"
 
   workspaces:
   - name: git-auth

.tekton/scanner-db-slim-build.yaml

@@ -53,7 +53,7 @@ spec:
   - name: extra-labels
     value:
     # X.Y in the cpe label must be adjusted for every version stream.
-    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
+    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el9"
 
   workspaces:
   - name: git-auth

.tekton/scanner-slim-build.yaml

@@ -56,7 +56,7 @@ spec:
   - name: extra-labels
     value:
     # X.Y in the cpe label must be adjusted for every version stream.
-    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
+    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el9"
 
   workspaces:
   - name: git-auth

image/db/rhel/Dockerfile

@@ -1,9 +1,9 @@
 ARG RPMS_REGISTRY=registry.access.redhat.com
-ARG RPMS_BASE_IMAGE=ubi8
+ARG RPMS_BASE_IMAGE=ubi9
 ARG RPMS_BASE_TAG=latest
 
 ARG BASE_REGISTRY=registry.access.redhat.com
-ARG BASE_IMAGE=ubi8-minimal
+ARG BASE_IMAGE=ubi9-minimal
 ARG BASE_TAG=latest
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle

image/db/rhel/Dockerfile.slim

@@ -1,9 +1,9 @@
 ARG RPMS_REGISTRY=registry.access.redhat.com
-ARG RPMS_BASE_IMAGE=ubi8
+ARG RPMS_BASE_IMAGE=ubi9
 ARG RPMS_BASE_TAG=latest
 
 ARG BASE_REGISTRY=registry.access.redhat.com
-ARG BASE_IMAGE=ubi8-minimal
+ARG BASE_IMAGE=ubi9-minimal
 ARG BASE_TAG=latest
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle

image/db/rhel/konflux.Dockerfile

@@ -1,4 +1,4 @@
-FROM registry.redhat.io/rhel8/postgresql-15:latest@sha256:94182920a14a5175523d40c1bdf1168eaabbb6b494eda0519d3a87916ba937d6 AS scanner-db-common
+FROM registry.redhat.io/rhel9/postgresql-15:latest@sha256:cba1417b7e8a5b55289aa951c48dc940c72ebea5380045f32cd8faba41937f9b AS scanner-db-common
 
 ARG SCANNER_TAG
 RUN if [[ "$SCANNER_TAG" == "" ]]; then >&2 echo "error: required SCANNER_TAG arg is unset"; exit 6; fi
@@ -57,7 +57,7 @@ FROM scanner-db-common AS scanner-db-slim
 LABEL \
     com.redhat.component="rhacs-scanner-db-slim-container" \
     io.k8s.display-name="scanner-db-slim" \
-    name="advanced-cluster-security/rhacs-scanner-db-slim-rhel8"
+    name="advanced-cluster-security/rhacs-scanner-db-slim-rhel9"
 
 ENV ROX_SLIM_MODE="true"
 
@@ -67,7 +67,7 @@ FROM scanner-db-common AS scanner-db
 LABEL \
     com.redhat.component="rhacs-scanner-db-container" \
     io.k8s.display-name="scanner-db" \
-    name="advanced-cluster-security/rhacs-scanner-db-rhel8"
+    name="advanced-cluster-security/rhacs-scanner-db-rhel9"
 
 COPY --chown=0:0 .konflux/scanner-data/blob-pg-definitions.sql.gz \
      /docker-entrypoint-initdb.d/definitions.sql.gz

image/db/rhel/scripts/download.sh

@@ -4,7 +4,7 @@ set -euo pipefail
 
 # If this is updated, be sure to update PG_MAJOR in the Dockerfile and the signature file.
 postgres_major=15
-pg_rhel_major=8
+pg_rhel_major=9
 
 arch="$(uname -m)"
 dnf_list_args=()

image/scanner/rhel/Dockerfile

@@ -1,5 +1,5 @@
 ARG BASE_REGISTRY=registry.access.redhat.com
-ARG BASE_IMAGE=ubi8-minimal
+ARG BASE_IMAGE=ubi9-minimal
 ARG BASE_TAG=latest
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle

image/scanner/rhel/Dockerfile.slim

@@ -1,5 +1,5 @@
 ARG BASE_REGISTRY=registry.access.redhat.com
-ARG BASE_IMAGE=ubi8-minimal
+ARG BASE_IMAGE=ubi9-minimal
 ARG BASE_TAG=latest
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle

image/scanner/rhel/konflux.Dockerfile

@@ -1,5 +1,5 @@
 # Compiling scanner binaries and staging repo2cpe and genesis manifests
-FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_golang_1.25@sha256:aa03597ee8c7594ffecef5cbb6a0f059d362259d2a41225617b27ec912a3d0d3 AS builder
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.25@sha256:bd531796aacb86e4f97443797262680fbf36ca048717c00b6f4248465e1a7c0c AS builder
 
 ARG SCANNER_TAG
 RUN if [[ "$SCANNER_TAG" == "" ]]; then >&2 echo "error: required SCANNER_TAG arg is unset"; exit 6; fi
@@ -28,7 +28,7 @@ COPY .konflux/scanner-data/blob-genesis_manifests.json image/scanner/dump/genesi
 
 
 # Common base for scanner slim and full
-FROM registry.access.redhat.com/ubi8-minimal:latest@sha256:48adecc91f276734fa51987bc2203a31db9ba87a512c436c0a3fcac53135378d AS scanner-common
+FROM registry.access.redhat.com/ubi9-minimal:latest@sha256:c7d44146f826037f6873d99da479299b889473492d3c1ab8af86f08af04ec8a0 AS scanner-common
 
 ARG SCANNER_TAG
 
@@ -59,7 +59,7 @@ COPY --chown=65534:65534 --from=builder /src/image/scanner/dump/genesis_manifest
 
 COPY LICENSE /licenses/LICENSE
 
-RUN microdnf install xz && \
+RUN microdnf install -y xz && \
     microdnf clean all && \
     # (Optional) Remove line below to keep package management utilities
     # We don't uninstall rpm because scanner uses it to get packages installed in scanned images.
@@ -85,7 +85,7 @@ FROM scanner-common AS scanner-slim
 LABEL \
     com.redhat.component="rhacs-scanner-slim-container" \
     io.k8s.display-name="scanner-slim" \
-    name="advanced-cluster-security/rhacs-scanner-slim-rhel8"
+    name="advanced-cluster-security/rhacs-scanner-slim-rhel9"
 
 ENV ROX_SLIM_MODE="true"
 
@@ -96,7 +96,7 @@ FROM scanner-common AS scanner
 LABEL \
     com.redhat.component="rhacs-scanner-container" \
     io.k8s.display-name="scanner" \
-    name="advanced-cluster-security/rhacs-scanner-rhel8"
+    name="advanced-cluster-security/rhacs-scanner-rhel9"
 
 ENV NVD_DEFINITIONS_DIR="/nvd_definitions"
 ENV K8S_DEFINITIONS_DIR="/k8s_definitions"

image/scanner/scripts/import-additional-cas

@@ -19,4 +19,6 @@ copy_existing /usr/local/share/ca-certificates
 # Copy the custom trusted CA bundles injected by the Openshift Network Operator.
 copy_existing /etc/pki/injected-ca-trust
 
-update-ca-trust extract
+# The -o flag is required for running as an unprivileged user in containers.
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=2241240
+update-ca-trust extract -o /etc/pki/ca-trust/extracted

image/scanner/scripts/restore-all-dir-contents

@@ -4,4 +4,4 @@ set -euo pipefail
 
 [ -d /.init-dirs ] || exit 0
 
-cp -rfP /.init-dirs/* /
+cp --recursive --no-dereference --no-clobber /.init-dirs/* /

image/scanner/scripts/trust-root-ca

@@ -6,4 +6,7 @@ CA_PATH="/run/secrets/stackrox.io/certs/ca.pem"
 
 # For RHEL
 cp "${CA_PATH}" /etc/pki/ca-trust/source/anchors/root-ca.pem
-update-ca-trust
+
+# The -o flag is required for running as an unprivileged user in containers.
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=2241240
+update-ca-trust extract -o /etc/pki/ca-trust/extracted

image/vulnerabilities/Dockerfile

@@ -1,5 +1,5 @@
 ARG BASE_REGISTRY=registry.access.redhat.com
-ARG BASE_IMAGE=ubi8-minimal
+ARG BASE_IMAGE=ubi9-minimal
 ARG BASE_TAG=latest
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}

rpms.lock.yaml

@@ -4,69 +4,69 @@ lockfileVendor: redhat
 arches:
 - arch: aarch64
   packages:
-  - url: https://cdn.redhat.com/content/dist/rhel8/8/aarch64/baseos/os/Packages/x/xz-5.2.4-4.el8_6.aarch64.rpm
-    repoid: rhel-8-for-aarch64-baseos-rpms
-    size: 156276
-    checksum: sha256:342a2504cb34c9a5c1d43906f534cb1f3bf1de58ac517d575cff57053d04ab00
+  - url: https://cdn.redhat.com/content/dist/rhel9/9/aarch64/baseos/os/Packages/x/xz-5.2.5-8.el9_0.aarch64.rpm
+    repoid: rhel-9-for-aarch64-baseos-rpms
+    size: 235798
+    checksum: sha256:26ac21be6c1e396c7bcbaa9d4786e3275e996d9d78c01f75bbbc6962e6c9bef7
     name: xz
-    evr: 5.2.4-4.el8_6
-    sourcerpm: xz-5.2.4-4.el8_6.src.rpm
+    evr: 5.2.5-8.el9_0
+    sourcerpm: xz-5.2.5-8.el9_0.src.rpm
   source:
-  - url: https://cdn.redhat.com/content/dist/rhel8/8/aarch64/baseos/source/SRPMS/Packages/x/xz-5.2.4-4.el8_6.src.rpm
-    repoid: rhel-8-for-aarch64-baseos-source-rpms
-    size: 1077113
-    checksum: sha256:7914b320eefa2db6dad68e5f01e99f8e661072a1f13acb3d19cba8c1295ae40a
+  - url: https://cdn.redhat.com/content/dist/rhel9/9/aarch64/baseos/source/SRPMS/Packages/x/xz-5.2.5-8.el9_0.src.rpm
+    repoid: rhel-9-for-aarch64-baseos-source-rpms
+    size: 1168293
+    checksum: sha256:bce98f3a307e75a8ac28f909e29b41d64b15461fa9ddf0bf4ef3c2f6de946b46
     name: xz
-    evr: 5.2.4-4.el8_6
+    evr: 5.2.5-8.el9_0
   module_metadata: []
 - arch: ppc64le
   packages:
-  - url: https://cdn.redhat.com/content/dist/rhel8/8/ppc64le/baseos/os/Packages/x/xz-5.2.4-4.el8_6.ppc64le.rpm
-    repoid: rhel-8-for-ppc64le-baseos-rpms
-    size: 162264
-    checksum: sha256:80d2fc754452ae52b3b36504e5cceb5cd5435a97999351402ae7a28298592a01
+  - url: https://cdn.redhat.com/content/dist/rhel9/9/ppc64le/baseos/os/Packages/x/xz-5.2.5-8.el9_0.ppc64le.rpm
+    repoid: rhel-9-for-ppc64le-baseos-rpms
+    size: 243215
+    checksum: sha256:44cd014634f8a5cb83aff336500b0f2e3bec156a34e7da09e0ae6ef4b5e26467
     name: xz
-    evr: 5.2.4-4.el8_6
-    sourcerpm: xz-5.2.4-4.el8_6.src.rpm
+    evr: 5.2.5-8.el9_0
+    sourcerpm: xz-5.2.5-8.el9_0.src.rpm
   source:
-  - url: https://cdn.redhat.com/content/dist/rhel8/8/ppc64le/baseos/source/SRPMS/Packages/x/xz-5.2.4-4.el8_6.src.rpm
-    repoid: rhel-8-for-ppc64le-baseos-source-rpms
-    size: 1077113
-    checksum: sha256:7914b320eefa2db6dad68e5f01e99f8e661072a1f13acb3d19cba8c1295ae40a
+  - url: https://cdn.redhat.com/content/dist/rhel9/9/ppc64le/baseos/source/SRPMS/Packages/x/xz-5.2.5-8.el9_0.src.rpm
+    repoid: rhel-9-for-ppc64le-baseos-source-rpms
+    size: 1168293
+    checksum: sha256:bce98f3a307e75a8ac28f909e29b41d64b15461fa9ddf0bf4ef3c2f6de946b46
     name: xz
-    evr: 5.2.4-4.el8_6
+    evr: 5.2.5-8.el9_0
   module_metadata: []
 - arch: s390x
   packages:
-  - url: https://cdn.redhat.com/content/dist/rhel8/8/s390x/baseos/os/Packages/x/xz-5.2.4-4.el8_6.s390x.rpm
-    repoid: rhel-8-for-s390x-baseos-rpms
-    size: 155012
-    checksum: sha256:7fb678077d965dd6aeb09df28ce05cba9c22e4110d4b52f1ee43986beb87a5ff
+  - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/baseos/os/Packages/x/xz-5.2.5-8.el9_0.s390x.rpm
+    repoid: rhel-9-for-s390x-baseos-rpms
+    size: 234632
+    checksum: sha256:c06f44e6fb5a0a1fbf3c052d065b6336c3d17cedbc796260cf0c097b98326906
     name: xz
-    evr: 5.2.4-4.el8_6
-    sourcerpm: xz-5.2.4-4.el8_6.src.rpm
+    evr: 5.2.5-8.el9_0
+    sourcerpm: xz-5.2.5-8.el9_0.src.rpm
   source:
-  - url: https://cdn.redhat.com/content/dist/rhel8/8/s390x/baseos/source/SRPMS/Packages/x/xz-5.2.4-4.el8_6.src.rpm
-    repoid: rhel-8-for-s390x-baseos-source-rpms
-    size: 1077113
-    checksum: sha256:7914b320eefa2db6dad68e5f01e99f8e661072a1f13acb3d19cba8c1295ae40a
+  - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/baseos/source/SRPMS/Packages/x/xz-5.2.5-8.el9_0.src.rpm
+    repoid: rhel-9-for-s390x-baseos-source-rpms
+    size: 1168293
+    checksum: sha256:bce98f3a307e75a8ac28f909e29b41d64b15461fa9ddf0bf4ef3c2f6de946b46
     name: xz
-    evr: 5.2.4-4.el8_6
+    evr: 5.2.5-8.el9_0
   module_metadata: []
 - arch: x86_64
   packages:
-  - url: https://cdn.redhat.com/content/dist/rhel8/8/x86_64/baseos/os/Packages/x/xz-5.2.4-4.el8_6.x86_64.rpm
-    repoid: rhel-8-for-x86_64-baseos-rpms
-    size: 156884
-    checksum: sha256:fa4ceb20dbf23e9408a6446fefc4b709bc85e0bc563ca423569bbe08ecee2c5e
+  - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/os/Packages/x/xz-5.2.5-8.el9_0.x86_64.rpm
+    repoid: rhel-9-for-x86_64-baseos-rpms
+    size: 235693
+    checksum: sha256:f16d17c26a241400586ddc3d734ce863e3f19d433881ec640a47bedf0dafd07b
     name: xz
-    evr: 5.2.4-4.el8_6
-    sourcerpm: xz-5.2.4-4.el8_6.src.rpm
+    evr: 5.2.5-8.el9_0
+    sourcerpm: xz-5.2.5-8.el9_0.src.rpm
   source:
-  - url: https://cdn.redhat.com/content/dist/rhel8/8/x86_64/baseos/source/SRPMS/Packages/x/xz-5.2.4-4.el8_6.src.rpm
-    repoid: rhel-8-for-x86_64-baseos-source-rpms
-    size: 1077113
-    checksum: sha256:7914b320eefa2db6dad68e5f01e99f8e661072a1f13acb3d19cba8c1295ae40a
+  - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/source/SRPMS/Packages/x/xz-5.2.5-8.el9_0.src.rpm
+    repoid: rhel-9-for-x86_64-baseos-source-rpms
+    size: 1168293
+    checksum: sha256:bce98f3a307e75a8ac28f909e29b41d64b15461fa9ddf0bf4ef3c2f6de946b46
     name: xz
-    evr: 5.2.4-4.el8_6
+    evr: 5.2.5-8.el9_0
   module_metadata: []

rpms.rhel.repo

@@ -1,6 +1,6 @@
-[rhel-8-for-$basearch-baseos-rpms]
-name = Red Hat Enterprise Linux 8 for $basearch - BaseOS (RPMs)
-baseurl = https://cdn.redhat.com/content/dist/rhel8/8/$basearch/baseos/os
+[rhel-9-for-$basearch-baseos-rpms]
+name = Red Hat Enterprise Linux 9 for $basearch - BaseOS (RPMs)
+baseurl = https://cdn.redhat.com/content/dist/rhel9/9/$basearch/baseos/os
 enabled = 1
 gpgcheck = 1
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
@@ -12,9 +12,9 @@ sslverifystatus = 1
 metadata_expire = 86400
 enabled_metadata = 1
 
-[rhel-8-for-$basearch-baseos-source-rpms]
-name = Red Hat Enterprise Linux 8 for $basearch - BaseOS (Source RPMs)
-baseurl = https://cdn.redhat.com/content/dist/rhel8/8/$basearch/baseos/source/SRPMS
+[rhel-9-for-$basearch-baseos-source-rpms]
+name = Red Hat Enterprise Linux 9 for $basearch - BaseOS (Source RPMs)
+baseurl = https://cdn.redhat.com/content/dist/rhel9/9/$basearch/baseos/source/SRPMS
 enabled = 1
 gpgcheck = 1
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
@@ -25,3 +25,4 @@ sslclientcert = $SSL_CLIENT_CERT
 sslverifystatus = 1
 metadata_expire = 86400
 enabled_metadata = 0
+