From ade173223821539ad270bccd290d8933019f39e4 Mon Sep 17 00:00:00 2001 From: Remco Beckers Date: Thu, 18 Jun 2026 11:26:01 +0200 Subject: [PATCH 1/3] STAC-25019 Preserve repository_url qualifier on OCI PURLs Per the VEX Repository Specification, the `repository_url` qualifier must be retained in the `id` of OCI entries so Trivy can match them against the image PURL it generates at scan time. Without it, the index resolved but no statements matched and the listed CVEs kept showing as affected. - tools/build_index.py: keep the `repository_url` qualifier for pkg:oci/* PURLs while still stripping version and other qualifiers; fail fast if an OCI VEX file is missing the qualifier so the bug can't reappear silently. - pkg/oci/quay.io/stackstate/stackstate-k8s-agent/scan.openvex.json: add `?repository_url=quay.io/stackstate/stackstate-k8s-agent` to all product @id fields (the target-allocator file already had it). - The repository_url part must be URL encoded, otherwise trivy will not match it in the index. - index.json: regenerated. --- index.json | 6 ++-- .../scan.openvex.json | 30 ++++++++++++++++--- .../stackstate-k8s-agent/scan.openvex.json | 26 ++++++++-------- tools/build_index.py | 29 +++++++++++++++--- 4 files changed, 67 insertions(+), 24 deletions(-) diff --git a/index.json b/index.json index 0dc2b3c..a8e7af6 100644 --- a/index.json +++ b/index.json @@ -1,5 +1,5 @@ { - "updated_at": "2026-06-17T07:31:03Z", + "updated_at": "2026-06-18T10:32:45Z", "packages": [ { "id": "pkg:maven/org.eclipse.jetty/jetty-http", @@ -7,12 +7,12 @@ "format": "openvex" }, { - "id": "pkg:oci/opentelemetry-target-allocator", + "id": "pkg:oci/opentelemetry-target-allocator?repository_url=quay.io%2Fstackstate%2Fopentelemetry-target-allocator", "location": "pkg/oci/quay.io/stackstate/opentelemetry-target-allocator/scan.openvex.json", "format": "openvex" }, { - "id": "pkg:oci/stackstate-k8s-agent", + "id": "pkg:oci/stackstate-k8s-agent?repository_url=quay.io%2Fstackstate%2Fstackstate-k8s-agent", "location": "pkg/oci/quay.io/stackstate/stackstate-k8s-agent/scan.openvex.json", "format": "openvex" } diff --git a/pkg/oci/quay.io/stackstate/opentelemetry-target-allocator/scan.openvex.json b/pkg/oci/quay.io/stackstate/opentelemetry-target-allocator/scan.openvex.json index 61e8aa7..d146eef 100644 --- a/pkg/oci/quay.io/stackstate/opentelemetry-target-allocator/scan.openvex.json +++ b/pkg/oci/quay.io/stackstate/opentelemetry-target-allocator/scan.openvex.json @@ -13,7 +13,7 @@ }, "products": [ { - "@id": "pkg:oci/opentelemetry-target-allocator", + "@id": "pkg:oci/opentelemetry-target-allocator?repository_url=quay.io%2Fstackstate%2Fopentelemetry-target-allocator", "subcomponents": [ { "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible" @@ -35,7 +35,7 @@ }, "products": [ { - "@id": "pkg:oci/opentelemetry-target-allocator", + "@id": "pkg:oci/opentelemetry-target-allocator?repository_url=quay.io%2Fstackstate%2Fopentelemetry-target-allocator", "subcomponents": [ { "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible" @@ -57,7 +57,7 @@ }, "products": [ { - "@id": "pkg:oci/opentelemetry-target-allocator", + "@id": "pkg:oci/opentelemetry-target-allocator?repository_url=quay.io%2Fstackstate%2Fopentelemetry-target-allocator", "subcomponents": [ { "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible" @@ -79,7 +79,7 @@ }, "products": [ { - "@id": "pkg:oci/opentelemetry-target-allocator", + "@id": "pkg:oci/opentelemetry-target-allocator?repository_url=quay.io%2Fstackstate%2Fopentelemetry-target-allocator", "subcomponents": [ { "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible" @@ -91,6 +91,28 @@ "justification": "vulnerable_code_not_in_execute_path", "status_notes": "Review by 2026-07-29 (6 weeks after 2026-06-17): re-check whether the next prometheus-operator release has dropped the legacy github.com/docker/docker dependency and the OpenTelemetry Operator has bumped to it; retire this statement once the dependency is gone.", "impact_statement": "CVE-2026-33997 is an off-by-one error in the Moby server's plugin privilege validation during docker plugin install: the daemon's privilege-set comparison can accept a privilege set that differs from the one approved by the user, and plugins requesting exactly one privilege are not compared at all. The vulnerable code lives in the Docker Engine server (the plugin install/privilege validation path in the daemon). The quay.io/stackstate/opentelemetry-target-allocator image ships only the targetallocator Go binary; it contains no dockerd, executes no docker plugin install flow, and is not invoked as a Docker daemon. github.com/docker/docker is pulled in transitively through github.com/prometheus/prometheus/discovery, and per upstream open-telemetry/opentelemetry-operator#4926 only the client-side packages are used: \"It only uses the client side of the docker package, whereas the vulnerabilities affect the server side.\" The fix lives at the new github.com/moby/moby/v2 module path (Docker Engine 29.3.1 / v2.0.0-beta.8); Prometheus has migrated in prometheus/prometheus#18433, and once the next prometheus-operator release picks up that Prometheus version and the OpenTelemetry Operator bumps to it, the docker/docker dependency will disappear from the target allocator entirely and this VEX will become moot." + }, + { + "vulnerability": { + "name": "CVE-2026-41568", + "aliases": [ + "GHSA-vp62-88p7-qqf5" + ] + }, + "products": [ + { + "@id": "pkg:oci/opentelemetry-target-allocator?repository_url=quay.io%2Fstackstate%2Fopentelemetry-target-allocator", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible" + } + ] + } + ], + "status": "not_affected", + "justification": "vulnerable_code_not_in_execute_path", + "status_notes": "Review by 2026-07-29 (6 weeks after 2026-06-17): re-check whether the next prometheus-operator release has dropped the legacy github.com/docker/docker dependency and the OpenTelemetry Operator has bumped to it; retire this statement once the dependency is gone.", + "impact_statement": "CVE-2026-41568 is a TOCTOU symlink race in the Moby server's docker cp mountpoint setup: between GetResourcePath resolving the in-container destination and createIfNotExists materialising it via os.MkdirAll/os.OpenFile, a container process can swap a path component for a symlink, causing the daemon (running as host root) to create an empty file or directory at an arbitrary absolute host path. The vulnerable code lives in the Docker Engine server (daemon/archive.go and the docker cp mountpoint setup path), classified as CWE-61 / CWE-367. The quay.io/stackstate/opentelemetry-target-allocator image ships only the targetallocator Go binary; it contains no dockerd, performs no docker cp mountpoint setup, and is not invoked as a Docker daemon. github.com/docker/docker is pulled in transitively through github.com/prometheus/prometheus/discovery, and per upstream open-telemetry/opentelemetry-operator#4926 only the client-side packages are used: \"It only uses the client side of the docker package, whereas the vulnerabilities affect the server side.\" The fix lives at the new github.com/moby/moby/v2 module path (Docker Engine 29.5.1 / v2.0.0-beta.14); Prometheus has migrated in prometheus/prometheus#18433, and once the next prometheus-operator release picks up that Prometheus version and the OpenTelemetry Operator bumps to it, the docker/docker dependency will disappear from the target allocator entirely and this VEX will become moot." } ], "timestamp": "2026-06-17T00:00:00Z" diff --git a/pkg/oci/quay.io/stackstate/stackstate-k8s-agent/scan.openvex.json b/pkg/oci/quay.io/stackstate/stackstate-k8s-agent/scan.openvex.json index 2aa4f9b..1633ff9 100644 --- a/pkg/oci/quay.io/stackstate/stackstate-k8s-agent/scan.openvex.json +++ b/pkg/oci/quay.io/stackstate/stackstate-k8s-agent/scan.openvex.json @@ -10,7 +10,7 @@ }, "products": [ { - "@id": "pkg:oci/stackstate-k8s-agent", + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=quay.io%2Fstackstate%2Fstackstate-k8s-agent", "subcomponents": [ { "@id": "pkg:generic/python@3.13.13" @@ -30,7 +30,7 @@ }, "products": [ { - "@id": "pkg:oci/stackstate-k8s-agent", + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=quay.io%2Fstackstate%2Fstackstate-k8s-agent", "subcomponents": [ { "@id": "pkg:generic/python@3.13.13" @@ -51,7 +51,7 @@ }, "products": [ { - "@id": "pkg:oci/stackstate-k8s-agent", + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=quay.io%2Fstackstate%2Fstackstate-k8s-agent", "subcomponents": [ { "@id": "pkg:generic/python@3.13.13" @@ -68,7 +68,7 @@ }, "products": [ { - "@id": "pkg:oci/stackstate-k8s-agent", + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=quay.io%2Fstackstate%2Fstackstate-k8s-agent", "subcomponents": [ { "@id": "pkg:generic/python@3.13.13" @@ -86,7 +86,7 @@ }, "products": [ { - "@id": "pkg:oci/stackstate-k8s-agent", + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=quay.io%2Fstackstate%2Fstackstate-k8s-agent", "subcomponents": [ { "@id": "pkg:generic/python@3.13.13" @@ -104,7 +104,7 @@ }, "products": [ { - "@id": "pkg:oci/stackstate-k8s-agent", + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=quay.io%2Fstackstate%2Fstackstate-k8s-agent", "subcomponents": [ { "@id": "pkg:generic/python@3.13.13" @@ -121,7 +121,7 @@ }, "products": [ { - "@id": "pkg:oci/stackstate-k8s-agent", + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=quay.io%2Fstackstate%2Fstackstate-k8s-agent", "subcomponents": [ { "@id": "pkg:generic/python@3.13.13" @@ -139,7 +139,7 @@ }, "products": [ { - "@id": "pkg:oci/stackstate-k8s-agent", + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=quay.io%2Fstackstate%2Fstackstate-k8s-agent", "subcomponents": [ { "@id": "pkg:generic/python@3.13.13" @@ -157,7 +157,7 @@ }, "products": [ { - "@id": "pkg:oci/stackstate-k8s-agent", + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=quay.io%2Fstackstate%2Fstackstate-k8s-agent", "subcomponents": [ { "@id": "pkg:generic/python@3.13.13" @@ -175,7 +175,7 @@ }, "products": [ { - "@id": "pkg:oci/stackstate-k8s-agent", + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=quay.io%2Fstackstate%2Fstackstate-k8s-agent", "subcomponents": [ { "@id": "pkg:generic/python@3.13.13" @@ -194,7 +194,7 @@ }, "products": [ { - "@id": "pkg:oci/stackstate-k8s-agent", + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=quay.io%2Fstackstate%2Fstackstate-k8s-agent", "subcomponents": [ { "@id": "pkg:generic/python@3.13.13" @@ -215,7 +215,7 @@ }, "products": [ { - "@id": "pkg:oci/stackstate-k8s-agent", + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=quay.io%2Fstackstate%2Fstackstate-k8s-agent", "subcomponents": [ { "@id": "pkg:generic/python@3.13.13" @@ -234,7 +234,7 @@ }, "products": [ { - "@id": "pkg:oci/stackstate-k8s-agent", + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=quay.io%2Fstackstate%2Fstackstate-k8s-agent", "subcomponents": [ { "@id": "pkg:generic/python@3.13.13" diff --git a/tools/build_index.py b/tools/build_index.py index 004974e..3be1ca3 100644 --- a/tools/build_index.py +++ b/tools/build_index.py @@ -24,13 +24,34 @@ def now_iso() -> str: return datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ") -def index_id_for_purl(purl: str) -> str: - """Return the canonical index id for a PURL: version and qualifiers stripped.""" +def index_id_for_purl(purl: str, source: Path | None = None) -> str: + """Return the canonical index id for a PURL. + + Per the VEX Repository Specification, version and subpath are stripped; + for ``pkg:oci/*`` PURLs the ``repository_url`` qualifier MUST be preserved + so Trivy can match the entry against the image PURL it generates at scan + time. Other qualifiers are dropped. + """ head = purl + qualifier_str = "" if "?" in head: - head, _ = head.split("?", 1) + head, qualifier_str = head.split("?", 1) if "@" in head: head, _ = head.split("@", 1) + if head.startswith("pkg:oci/"): + repo = next( + (q for q in qualifier_str.split("&") if q.startswith("repository_url=")), + None, + ) + if not repo: + where = f" in {source}" if source else "" + sys.exit( + f"OCI PURL {purl!r}{where} is missing the required " + "'repository_url' qualifier. Per the VEX Repository " + "Specification, OCI product @id values must include " + "?repository_url=//." + ) + return f"{head}?{repo}" return head @@ -54,7 +75,7 @@ def collect_packages(hub_root: Path) -> list[dict]: if pid and pid.startswith("pkg:"): purls.add(pid) for purl in sorted(purls): - pid = index_id_for_purl(purl) + pid = index_id_for_purl(purl, source=vex_file) existing = entries.get(pid) if existing and existing["location"] != rel_location: sys.exit( From 0fe3bdea98aaecbff8d7118b45d1ded2a0d7b2e9 Mon Sep 17 00:00:00 2001 From: Remco Beckers Date: Thu, 18 Jun 2026 13:33:32 +0200 Subject: [PATCH 2/3] STAC-25019 Strictly validate PURLs in build_index.py MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewer pointed out that the previous guard preserved repository_url but still accepted unencoded values (repository_url=quay.io/ns/foo) and left #subpath attached to qualifier strings, contrary to the docstring. Replace the ad-hoc string splits with a small PURL parser that: - Strips subpath (#...) before qualifiers and version, per the PURL grammar (pkg:type/namespace/name@version?qualifiers#subpath). - Splits qualifiers into a key/value map, requiring lowercase ASCII qualifier keys and rejecting malformed key=value pairs. - Rejects qualifier values that are not fully percent-encoded per RFC 3986 (decoded-then-re-encoded with safe="" must match the input, case insensitively). For OCI repository_url this forces '/' to %2F and ':' on non-default ports to %3A so Trivy gets a single canonical match key. - Continues to require repository_url on pkg:oci/* and now also fails fast on an empty value. Smoke-tested the parser against encoded/unencoded/missing/empty/ malformed-key/subpath inputs; all six rejection paths fire and the two pass paths produce the expected canonical id. Regenerated index.json (no functional change — both OCI entries were already percent-encoded in their VEX files). --- index.json | 2 +- tools/build_index.py | 100 +++++++++++++++++++++++++++++++++++-------- 2 files changed, 84 insertions(+), 18 deletions(-) diff --git a/index.json b/index.json index a8e7af6..ec4c875 100644 --- a/index.json +++ b/index.json @@ -1,5 +1,5 @@ { - "updated_at": "2026-06-18T10:32:45Z", + "updated_at": "2026-06-18T11:33:02Z", "packages": [ { "id": "pkg:maven/org.eclipse.jetty/jetty-http", diff --git a/tools/build_index.py b/tools/build_index.py index 3be1ca3..3427a43 100644 --- a/tools/build_index.py +++ b/tools/build_index.py @@ -15,43 +15,109 @@ import argparse import json +import re import sys from datetime import datetime, timezone from pathlib import Path +from urllib.parse import quote, unquote def now_iso() -> str: return datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ") -def index_id_for_purl(purl: str, source: Path | None = None) -> str: - """Return the canonical index id for a PURL. +_QUALIFIER_KEY_RE = re.compile(r"^[a-z_][a-z0-9._-]*$") + + +def _where(source: Path | None) -> str: + return f" in {source}" if source else "" + + +def _ensure_percent_encoded(value: str, key: str, purl: str, source: Path | None) -> None: + """Reject qualifier values that are not fully percent-encoded. + + PURL qualifier values must percent-encode anything outside the RFC 3986 + unreserved set (``[A-Za-z0-9-._~]``). For ``repository_url`` that means + every ``/`` must appear as ``%2F`` (and every ``:`` in a non-default + port as ``%3A``). We normalise by decoding then re-encoding with + ``quote(..., safe="")``; if the result differs from the input (case + insensitively, since ``%2f`` and ``%2F`` are equivalent), the input + was not properly encoded. + """ + canonical = quote(unquote(value), safe="") + if canonical.lower() != value.lower(): + sys.exit( + f"PURL qualifier {key}={value!r} in {purl!r}{_where(source)} " + f"is not properly percent-encoded. Expected {key}={canonical}." + ) + + +def _parse_purl(purl: str, source: Path | None) -> tuple[str, dict[str, str]]: + """Parse a PURL into (head, qualifiers). - Per the VEX Repository Specification, version and subpath are stripped; - for ``pkg:oci/*`` PURLs the ``repository_url`` qualifier MUST be preserved - so Trivy can match the entry against the image PURL it generates at scan - time. Other qualifiers are dropped. + ``head`` is ``pkg://`` with version and subpath + stripped. ``qualifiers`` preserves the original (validated) encoding so + callers can re-emit byte-identical strings. + + Grammar enforced: ``pkg:type/namespace/name@version?qualifiers#subpath`` + with qualifier values percent-encoded per RFC 3986. """ + if not purl.startswith("pkg:"): + sys.exit(f"{purl!r}{_where(source)} is not a PURL (must start with 'pkg:').") head = purl - qualifier_str = "" + # Subpath (#...) and qualifiers (?...) come after version; strip both + # before splitting on '@' so version sweeps don't accidentally cross a + # qualifier/subpath boundary. + if "#" in head: + head, _ = head.split("#", 1) + qualifiers: dict[str, str] = {} if "?" in head: - head, qualifier_str = head.split("?", 1) + head, qual_str = head.split("?", 1) + for pair in qual_str.split("&"): + if "=" not in pair: + sys.exit( + f"PURL qualifier {pair!r} in {purl!r}{_where(source)} " + "is malformed (expected key=value)." + ) + key, value = pair.split("=", 1) + if not _QUALIFIER_KEY_RE.fullmatch(key): + sys.exit( + f"PURL qualifier key {key!r} in {purl!r}{_where(source)} " + "is invalid (must be lowercase ASCII identifier)." + ) + _ensure_percent_encoded(value, key, purl, source) + qualifiers[key] = value if "@" in head: head, _ = head.split("@", 1) + return head, qualifiers + + +def index_id_for_purl(purl: str, source: Path | None = None) -> str: + """Return the canonical index id for a PURL. + + Per the VEX Repository Specification, version, subpath, and qualifiers + are stripped from the index id; for ``pkg:oci/*`` PURLs the + ``repository_url`` qualifier MUST be preserved (and must be + percent-encoded) so Trivy can match the entry against the image PURL it + generates at scan time. + """ + head, qualifiers = _parse_purl(purl, source) if head.startswith("pkg:oci/"): - repo = next( - (q for q in qualifier_str.split("&") if q.startswith("repository_url=")), - None, - ) - if not repo: - where = f" in {source}" if source else "" + if "repository_url" not in qualifiers: sys.exit( - f"OCI PURL {purl!r}{where} is missing the required " + f"OCI PURL {purl!r}{_where(source)} is missing the required " "'repository_url' qualifier. Per the VEX Repository " "Specification, OCI product @id values must include " - "?repository_url=//." + "?repository_url=// with " + "slashes percent-encoded as %2F." + ) + repo = qualifiers["repository_url"] + if not repo: + sys.exit( + f"OCI PURL {purl!r}{_where(source)} has an empty " + "'repository_url' qualifier." ) - return f"{head}?{repo}" + return f"{head}?repository_url={repo}" return head From 90e07a830446206f4fe7e16deab69dcc2bfa8855 Mon Sep 17 00:00:00 2001 From: Remco Beckers Date: Thu, 18 Jun 2026 13:51:40 +0200 Subject: [PATCH 3/3] STAC-25019 Add Rancher-registry product entries to Lane 2 statements MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The existing Lane 2 statements only carry the quay.io/stackstate product identity, so scans of the Rancher-distribution copies under registry.rancher.com/suse-observability/* still miss them. Per CONTRIBUTING.md, Lane 2 must list one product entry per distribution registry — typically both Quay and the Rancher-registry copy. For each statement in both Lane 2 files, add a sibling product entry with @id pkg:oci/?repository_url=registry.rancher.com%2F\ suse-observability%2F and the same subcomponent. Done in the existing quay-keyed file using the CONTRIBUTING-endorsed "single file listing both in products" pattern, so the reasoning stays in one place. - opentelemetry-target-allocator: 5 statements x +1 product (Docker Engine docker/docker server-side CVEs, not in execute path). - stackstate-k8s-agent: 13 statements x +1 product (embedded CPython 3.13.13 stdlib CVEs). Regenerated index.json: now 5 entries (Maven plus both registry copies of each OCI image). The two Rancher entries reuse the quay-keyed file path, which build_index.py already supports. --- CONTRIBUTING.md | 21 +++- index.json | 16 ++- .../scan.openvex.json | 42 ++++++- .../stackstate-k8s-agent/scan.openvex.json | 106 +++++++++++++++++- 4 files changed, 175 insertions(+), 10 deletions(-) rename pkg/oci/{quay.io/stackstate => }/opentelemetry-target-allocator/scan.openvex.json (86%) rename pkg/oci/{quay.io/stackstate => }/stackstate-k8s-agent/scan.openvex.json (89%) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index fab8c77..662de4c 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -75,7 +75,10 @@ package across our portfolio. the `repository_url` qualifier; the affected package is named in `subcomponents`. Because OCI PURLs are registry-coupled, list one product entry per distribution registry — typically both - `quay.io/stackstate/` and the Rancher-registry copy. + `quay.io/stackstate/` and the Rancher-registry copy + `registry.rancher.com/suse-observability/`. The + `repository_url` value must be percent-encoded (every `/` as `%2F`) + per the PURL spec; `build_index.py` rejects unencoded values. ### Steps @@ -85,10 +88,18 @@ package across our portfolio. [tools/README.md](./tools/README.md) for command examples. - Lane 1 path: `pkg/maven/org.eclipse.jetty/jetty-http/scan.openvex.json`. - - Lane 2 path: - `pkg/oci/quay.io/stackstate/zookeeper/scan.openvex.json` - (and a sibling under the Rancher-registry path, or a single file - listing both in `products`). + - Lane 2 path (default, single file listing every registry as a + separate product): `pkg/oci//scan.openvex.json`, e.g. + `pkg/oci/zookeeper/scan.openvex.json`. Drop the registry and + namespace segments from the path — they no longer identify the + file once `products` covers multiple registries; the registry + identity lives in each product's `repository_url` qualifier. + - Sibling-file alternative: only when the registry copies need + distinct reasoning, file + `pkg/oci/quay.io/stackstate//scan.openvex.json` and + `pkg/oci/registry.rancher.com/suse-observability//scan.openvex.json` + separately. Avoid this when the assertion is identical across + registries — duplication invites drift. 2. Run `python3 tools/build_index.py` to regenerate `index.json`. CI asserts the on-disk index matches the `pkg/` tree (`tools/build_index.py --check`). diff --git a/index.json b/index.json index ec4c875..1f03e0a 100644 --- a/index.json +++ b/index.json @@ -1,5 +1,5 @@ { - "updated_at": "2026-06-18T11:33:02Z", + "updated_at": "2026-06-18T11:53:07Z", "packages": [ { "id": "pkg:maven/org.eclipse.jetty/jetty-http", @@ -8,12 +8,22 @@ }, { "id": "pkg:oci/opentelemetry-target-allocator?repository_url=quay.io%2Fstackstate%2Fopentelemetry-target-allocator", - "location": "pkg/oci/quay.io/stackstate/opentelemetry-target-allocator/scan.openvex.json", + "location": "pkg/oci/opentelemetry-target-allocator/scan.openvex.json", + "format": "openvex" + }, + { + "id": "pkg:oci/opentelemetry-target-allocator?repository_url=registry.rancher.com%2Fsuse-observability%2Fopentelemetry-target-allocator", + "location": "pkg/oci/opentelemetry-target-allocator/scan.openvex.json", "format": "openvex" }, { "id": "pkg:oci/stackstate-k8s-agent?repository_url=quay.io%2Fstackstate%2Fstackstate-k8s-agent", - "location": "pkg/oci/quay.io/stackstate/stackstate-k8s-agent/scan.openvex.json", + "location": "pkg/oci/stackstate-k8s-agent/scan.openvex.json", + "format": "openvex" + }, + { + "id": "pkg:oci/stackstate-k8s-agent?repository_url=registry.rancher.com%2Fsuse-observability%2Fstackstate-k8s-agent", + "location": "pkg/oci/stackstate-k8s-agent/scan.openvex.json", "format": "openvex" } ] diff --git a/pkg/oci/quay.io/stackstate/opentelemetry-target-allocator/scan.openvex.json b/pkg/oci/opentelemetry-target-allocator/scan.openvex.json similarity index 86% rename from pkg/oci/quay.io/stackstate/opentelemetry-target-allocator/scan.openvex.json rename to pkg/oci/opentelemetry-target-allocator/scan.openvex.json index d146eef..3256910 100644 --- a/pkg/oci/quay.io/stackstate/opentelemetry-target-allocator/scan.openvex.json +++ b/pkg/oci/opentelemetry-target-allocator/scan.openvex.json @@ -1,6 +1,6 @@ { "@context": "https://openvex.dev/ns/v0.2.0", - "@id": "https://github.com/StackVista/vexhub/pkg/oci/quay.io/stackstate/opentelemetry-target-allocator/docker-engine-server-side-not-affected", + "@id": "https://github.com/StackVista/vexhub/pkg/oci/opentelemetry-target-allocator/docker-engine-server-side-not-affected", "author": "SUSE Observability Security Team", "version": 1, "statements": [ @@ -19,6 +19,14 @@ "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible" } ] + }, + { + "@id": "pkg:oci/opentelemetry-target-allocator?repository_url=registry.rancher.com%2Fsuse-observability%2Fopentelemetry-target-allocator", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible" + } + ] } ], "status": "not_affected", @@ -41,6 +49,14 @@ "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible" } ] + }, + { + "@id": "pkg:oci/opentelemetry-target-allocator?repository_url=registry.rancher.com%2Fsuse-observability%2Fopentelemetry-target-allocator", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible" + } + ] } ], "status": "not_affected", @@ -63,6 +79,14 @@ "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible" } ] + }, + { + "@id": "pkg:oci/opentelemetry-target-allocator?repository_url=registry.rancher.com%2Fsuse-observability%2Fopentelemetry-target-allocator", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible" + } + ] } ], "status": "not_affected", @@ -85,6 +109,14 @@ "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible" } ] + }, + { + "@id": "pkg:oci/opentelemetry-target-allocator?repository_url=registry.rancher.com%2Fsuse-observability%2Fopentelemetry-target-allocator", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible" + } + ] } ], "status": "not_affected", @@ -107,6 +139,14 @@ "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible" } ] + }, + { + "@id": "pkg:oci/opentelemetry-target-allocator?repository_url=registry.rancher.com%2Fsuse-observability%2Fopentelemetry-target-allocator", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible" + } + ] } ], "status": "not_affected", diff --git a/pkg/oci/quay.io/stackstate/stackstate-k8s-agent/scan.openvex.json b/pkg/oci/stackstate-k8s-agent/scan.openvex.json similarity index 89% rename from pkg/oci/quay.io/stackstate/stackstate-k8s-agent/scan.openvex.json rename to pkg/oci/stackstate-k8s-agent/scan.openvex.json index 1633ff9..667ddf7 100644 --- a/pkg/oci/quay.io/stackstate/stackstate-k8s-agent/scan.openvex.json +++ b/pkg/oci/stackstate-k8s-agent/scan.openvex.json @@ -1,6 +1,6 @@ { "@context": "https://openvex.dev/ns/v0.2.0", - "@id": "https://github.com/StackVista/vexhub/pkg/oci/quay.io/stackstate/stackstate-k8s-agent/CVE-2026-6100", + "@id": "https://github.com/StackVista/vexhub/pkg/oci/stackstate-k8s-agent/CVE-2026-6100", "author": "SUSE Observability Security Team", "version": 1, "statements": [ @@ -16,6 +16,14 @@ "@id": "pkg:generic/python@3.13.13" } ] + }, + { + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=registry.rancher.com%2Fsuse-observability%2Fstackstate-k8s-agent", + "subcomponents": [ + { + "@id": "pkg:generic/python@3.13.13" + } + ] } ], "status": "not_affected", @@ -36,6 +44,14 @@ "@id": "pkg:generic/python@3.13.13" } ] + }, + { + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=registry.rancher.com%2Fsuse-observability%2Fstackstate-k8s-agent", + "subcomponents": [ + { + "@id": "pkg:generic/python@3.13.13" + } + ] } ], "status": "not_affected", @@ -57,6 +73,14 @@ "@id": "pkg:generic/python@3.13.13" } ] + }, + { + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=registry.rancher.com%2Fsuse-observability%2Fstackstate-k8s-agent", + "subcomponents": [ + { + "@id": "pkg:generic/python@3.13.13" + } + ] } ], "status": "fixed", @@ -74,6 +98,14 @@ "@id": "pkg:generic/python@3.13.13" } ] + }, + { + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=registry.rancher.com%2Fsuse-observability%2Fstackstate-k8s-agent", + "subcomponents": [ + { + "@id": "pkg:generic/python@3.13.13" + } + ] } ], "status": "not_affected", @@ -92,6 +124,14 @@ "@id": "pkg:generic/python@3.13.13" } ] + }, + { + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=registry.rancher.com%2Fsuse-observability%2Fstackstate-k8s-agent", + "subcomponents": [ + { + "@id": "pkg:generic/python@3.13.13" + } + ] } ], "status": "not_affected", @@ -110,6 +150,14 @@ "@id": "pkg:generic/python@3.13.13" } ] + }, + { + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=registry.rancher.com%2Fsuse-observability%2Fstackstate-k8s-agent", + "subcomponents": [ + { + "@id": "pkg:generic/python@3.13.13" + } + ] } ], "status": "fixed", @@ -127,6 +175,14 @@ "@id": "pkg:generic/python@3.13.13" } ] + }, + { + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=registry.rancher.com%2Fsuse-observability%2Fstackstate-k8s-agent", + "subcomponents": [ + { + "@id": "pkg:generic/python@3.13.13" + } + ] } ], "status": "not_affected", @@ -145,6 +201,14 @@ "@id": "pkg:generic/python@3.13.13" } ] + }, + { + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=registry.rancher.com%2Fsuse-observability%2Fstackstate-k8s-agent", + "subcomponents": [ + { + "@id": "pkg:generic/python@3.13.13" + } + ] } ], "status": "not_affected", @@ -163,6 +227,14 @@ "@id": "pkg:generic/python@3.13.13" } ] + }, + { + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=registry.rancher.com%2Fsuse-observability%2Fstackstate-k8s-agent", + "subcomponents": [ + { + "@id": "pkg:generic/python@3.13.13" + } + ] } ], "status": "not_affected", @@ -181,6 +253,14 @@ "@id": "pkg:generic/python@3.13.13" } ] + }, + { + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=registry.rancher.com%2Fsuse-observability%2Fstackstate-k8s-agent", + "subcomponents": [ + { + "@id": "pkg:generic/python@3.13.13" + } + ] } ], "status": "not_affected", @@ -200,6 +280,14 @@ "@id": "pkg:generic/python@3.13.13" } ] + }, + { + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=registry.rancher.com%2Fsuse-observability%2Fstackstate-k8s-agent", + "subcomponents": [ + { + "@id": "pkg:generic/python@3.13.13" + } + ] } ], "status": "not_affected", @@ -221,6 +309,14 @@ "@id": "pkg:generic/python@3.13.13" } ] + }, + { + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=registry.rancher.com%2Fsuse-observability%2Fstackstate-k8s-agent", + "subcomponents": [ + { + "@id": "pkg:generic/python@3.13.13" + } + ] } ], "status": "not_affected", @@ -240,6 +336,14 @@ "@id": "pkg:generic/python@3.13.13" } ] + }, + { + "@id": "pkg:oci/stackstate-k8s-agent?repository_url=registry.rancher.com%2Fsuse-observability%2Fstackstate-k8s-agent", + "subcomponents": [ + { + "@id": "pkg:generic/python@3.13.13" + } + ] } ], "status": "not_affected",