STAC-25019 Preserve repository_url qualifier on OCI PURLs

CONTRIBUTING.md

@@ -75,7 +75,10 @@ package across our portfolio.
   the `repository_url` qualifier; the affected package is named in
   `subcomponents`. Because OCI PURLs are registry-coupled, list one
   product entry per distribution registry — typically both
-  `quay.io/stackstate/<image>` and the Rancher-registry copy.
+  `quay.io/stackstate/<image>` and the Rancher-registry copy
+  `registry.rancher.com/suse-observability/<image>`. The
+  `repository_url` value must be percent-encoded (every `/` as `%2F`)
+  per the PURL spec; `build_index.py` rejects unencoded values.
 
 ### Steps
 
@@ -85,10 +88,18 @@ package across our portfolio.
    [tools/README.md](./tools/README.md) for command examples.
    - Lane 1 path:
      `pkg/maven/org.eclipse.jetty/jetty-http/scan.openvex.json`.
-   - Lane 2 path:
-     `pkg/oci/quay.io/stackstate/zookeeper/scan.openvex.json`
-     (and a sibling under the Rancher-registry path, or a single file
-     listing both in `products`).
+   - Lane 2 path (default, single file listing every registry as a
+     separate product): `pkg/oci/<image>/scan.openvex.json`, e.g.
+     `pkg/oci/zookeeper/scan.openvex.json`. Drop the registry and
+     namespace segments from the path — they no longer identify the
+     file once `products` covers multiple registries; the registry
+     identity lives in each product's `repository_url` qualifier.
+   - Sibling-file alternative: only when the registry copies need
+     distinct reasoning, file
+     `pkg/oci/quay.io/stackstate/<image>/scan.openvex.json` and
+     `pkg/oci/registry.rancher.com/suse-observability/<image>/scan.openvex.json`
+     separately. Avoid this when the assertion is identical across
+     registries — duplication invites drift.
 2. Run `python3 tools/build_index.py` to regenerate `index.json`. CI
    asserts the on-disk index matches the `pkg/` tree
    (`tools/build_index.py --check`).

index.json

@@ -1,19 +1,29 @@
 {
-  "updated_at": "2026-06-17T07:31:03Z",
+  "updated_at": "2026-06-18T11:53:07Z",
   "packages": [
     {
       "id": "pkg:maven/org.eclipse.jetty/jetty-http",
       "location": "pkg/maven/org.eclipse.jetty/jetty-http/scan.openvex.json",
       "format": "openvex"
     },
     {
-      "id": "pkg:oci/opentelemetry-target-allocator",
-      "location": "pkg/oci/quay.io/stackstate/opentelemetry-target-allocator/scan.openvex.json",
+      "id": "pkg:oci/opentelemetry-target-allocator?repository_url=quay.io%2Fstackstate%2Fopentelemetry-target-allocator",
+      "location": "pkg/oci/opentelemetry-target-allocator/scan.openvex.json",
       "format": "openvex"
     },
     {
-      "id": "pkg:oci/stackstate-k8s-agent",
-      "location": "pkg/oci/quay.io/stackstate/stackstate-k8s-agent/scan.openvex.json",
+      "id": "pkg:oci/opentelemetry-target-allocator?repository_url=registry.rancher.com%2Fsuse-observability%2Fopentelemetry-target-allocator",
+      "location": "pkg/oci/opentelemetry-target-allocator/scan.openvex.json",
+      "format": "openvex"
+    },
+    {
+      "id": "pkg:oci/stackstate-k8s-agent?repository_url=quay.io%2Fstackstate%2Fstackstate-k8s-agent",
+      "location": "pkg/oci/stackstate-k8s-agent/scan.openvex.json",
+      "format": "openvex"
+    },
+    {
+      "id": "pkg:oci/stackstate-k8s-agent?repository_url=registry.rancher.com%2Fsuse-observability%2Fstackstate-k8s-agent",
+      "location": "pkg/oci/stackstate-k8s-agent/scan.openvex.json",
       "format": "openvex"
     }
   ]

pkg/oci/quay.io/stackstate/opentelemetry-target-allocator/scan.openvex.json → pkg/oci/opentelemetry-target-allocator/scan.openvex.json

@@ -1,6 +1,6 @@
 {
   "@context": "https://openvex.dev/ns/v0.2.0",
-  "@id": "https://github.com/StackVista/vexhub/pkg/oci/quay.io/stackstate/opentelemetry-target-allocator/docker-engine-server-side-not-affected",
+  "@id": "https://github.com/StackVista/vexhub/pkg/oci/opentelemetry-target-allocator/docker-engine-server-side-not-affected",
   "author": "SUSE Observability Security Team",
   "version": 1,
   "statements": [
@@ -13,7 +13,15 @@
       },
       "products": [
         {
-          "@id": "pkg:oci/opentelemetry-target-allocator",
+          "@id": "pkg:oci/opentelemetry-target-allocator?repository_url=quay.io%2Fstackstate%2Fopentelemetry-target-allocator",
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible"
+            }
+          ]
+        },
+        {
+          "@id": "pkg:oci/opentelemetry-target-allocator?repository_url=registry.rancher.com%2Fsuse-observability%2Fopentelemetry-target-allocator",
           "subcomponents": [
             {
               "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible"
@@ -35,7 +43,15 @@
       },
       "products": [
         {
-          "@id": "pkg:oci/opentelemetry-target-allocator",
+          "@id": "pkg:oci/opentelemetry-target-allocator?repository_url=quay.io%2Fstackstate%2Fopentelemetry-target-allocator",
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible"
+            }
+          ]
+        },
+        {
+          "@id": "pkg:oci/opentelemetry-target-allocator?repository_url=registry.rancher.com%2Fsuse-observability%2Fopentelemetry-target-allocator",
           "subcomponents": [
             {
               "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible"
@@ -57,7 +73,15 @@
       },
       "products": [
         {
-          "@id": "pkg:oci/opentelemetry-target-allocator",
+          "@id": "pkg:oci/opentelemetry-target-allocator?repository_url=quay.io%2Fstackstate%2Fopentelemetry-target-allocator",
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible"
+            }
+          ]
+        },
+        {
+          "@id": "pkg:oci/opentelemetry-target-allocator?repository_url=registry.rancher.com%2Fsuse-observability%2Fopentelemetry-target-allocator",
           "subcomponents": [
             {
               "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible"
@@ -79,7 +103,15 @@
       },
       "products": [
         {
-          "@id": "pkg:oci/opentelemetry-target-allocator",
+          "@id": "pkg:oci/opentelemetry-target-allocator?repository_url=quay.io%2Fstackstate%2Fopentelemetry-target-allocator",
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible"
+            }
+          ]
+        },
+        {
+          "@id": "pkg:oci/opentelemetry-target-allocator?repository_url=registry.rancher.com%2Fsuse-observability%2Fopentelemetry-target-allocator",
           "subcomponents": [
             {
               "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible"
@@ -91,6 +123,36 @@
       "justification": "vulnerable_code_not_in_execute_path",
       "status_notes": "Review by 2026-07-29 (6 weeks after 2026-06-17): re-check whether the next prometheus-operator release has dropped the legacy github.com/docker/docker dependency and the OpenTelemetry Operator has bumped to it; retire this statement once the dependency is gone.",
       "impact_statement": "CVE-2026-33997 is an off-by-one error in the Moby server's plugin privilege validation during docker plugin install: the daemon's privilege-set comparison can accept a privilege set that differs from the one approved by the user, and plugins requesting exactly one privilege are not compared at all. The vulnerable code lives in the Docker Engine server (the plugin install/privilege validation path in the daemon). The quay.io/stackstate/opentelemetry-target-allocator image ships only the targetallocator Go binary; it contains no dockerd, executes no docker plugin install flow, and is not invoked as a Docker daemon. github.com/docker/docker is pulled in transitively through github.com/prometheus/prometheus/discovery, and per upstream open-telemetry/opentelemetry-operator#4926 only the client-side packages are used: \"It only uses the client side of the docker package, whereas the vulnerabilities affect the server side.\" The fix lives at the new github.com/moby/moby/v2 module path (Docker Engine 29.3.1 / v2.0.0-beta.8); Prometheus has migrated in prometheus/prometheus#18433, and once the next prometheus-operator release picks up that Prometheus version and the OpenTelemetry Operator bumps to it, the docker/docker dependency will disappear from the target allocator entirely and this VEX will become moot."
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2026-41568",
+        "aliases": [
+          "GHSA-vp62-88p7-qqf5"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/opentelemetry-target-allocator?repository_url=quay.io%2Fstackstate%2Fopentelemetry-target-allocator",
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible"
+            }
+          ]
+        },
+        {
+          "@id": "pkg:oci/opentelemetry-target-allocator?repository_url=registry.rancher.com%2Fsuse-observability%2Fopentelemetry-target-allocator",
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/docker/docker@v28.5.2%2Bincompatible"
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "status_notes": "Review by 2026-07-29 (6 weeks after 2026-06-17): re-check whether the next prometheus-operator release has dropped the legacy github.com/docker/docker dependency and the OpenTelemetry Operator has bumped to it; retire this statement once the dependency is gone.",
+      "impact_statement": "CVE-2026-41568 is a TOCTOU symlink race in the Moby server's docker cp mountpoint setup: between GetResourcePath resolving the in-container destination and createIfNotExists materialising it via os.MkdirAll/os.OpenFile, a container process can swap a path component for a symlink, causing the daemon (running as host root) to create an empty file or directory at an arbitrary absolute host path. The vulnerable code lives in the Docker Engine server (daemon/archive.go and the docker cp mountpoint setup path), classified as CWE-61 / CWE-367. The quay.io/stackstate/opentelemetry-target-allocator image ships only the targetallocator Go binary; it contains no dockerd, performs no docker cp mountpoint setup, and is not invoked as a Docker daemon. github.com/docker/docker is pulled in transitively through github.com/prometheus/prometheus/discovery, and per upstream open-telemetry/opentelemetry-operator#4926 only the client-side packages are used: \"It only uses the client side of the docker package, whereas the vulnerabilities affect the server side.\" The fix lives at the new github.com/moby/moby/v2 module path (Docker Engine 29.5.1 / v2.0.0-beta.14); Prometheus has migrated in prometheus/prometheus#18433, and once the next prometheus-operator release picks up that Prometheus version and the OpenTelemetry Operator bumps to it, the docker/docker dependency will disappear from the target allocator entirely and this VEX will become moot."
     }
   ],
   "timestamp": "2026-06-17T00:00:00Z"