chore(deps): Update ubi-minimal base image

[simonbaird]

User description

Ref: EC-1553

---

PR Type

Enhancement

---

Description

• Update UBI9 minimal base image to latest digest

• Upgrade OpenSSL from 3.2.2 to 3.5.1 across architectures

• Update OpenSSH from 8.7p1-45 to 8.7p1-46 with security fixes

• Refresh jq and less package versions in lock file

---

Diagram Walkthrough

flowchart LR
  A["UBI9 Base Image"] -->|"Update SHA256"| B["New Image Digest"]
  C["Dependency Packages"] -->|"Version Bumps"| D["OpenSSL 3.5.1"]
  C -->|"Version Bumps"| E["OpenSSH 8.7p1-46"]
  C -->|"Version Bumps"| F["jq 1.6-19"]
  C -->|"Version Bumps"| G["less 590-6"]
  D --> H["Updated rpms.lock.yaml"]
  E --> H
  F --> H
  G --> H

Loading

File Walkthrough

Relevant files

Dependencies

Dockerfile Update UBI9 base image digest                                                        Dockerfile Update base image SHA256 digest from 7c5495d5fad59aaee12abc3cbbd2b283818ee1e814b00dbc7f25bf2d14fa4f0c to 2ddd6e10383981c7d10e4966a7c0edce7159f8ca91b1691cafabc78bae79d8f8 Maintains UBI9 minimal image reference with latest tag +1/-1      Dockerfile.dist Update UBI9 base image digest                                                        Dockerfile.dist Update base image SHA256 digest from 7c5495d5fad59aaee12abc3cbbd2b283818ee1e814b00dbc7f25bf2d14fa4f0c to 2ddd6e10383981c7d10e4966a7c0edce7159f8ca91b1691cafabc78bae79d8f8 Maintains UBI9 minimal image reference with latest tag +1/-1      rpms.lock.yaml Refresh RPM package versions and checksums                              rpms.lock.yaml Upgrade OpenSSL from version 1:3.2.2-6.el9_5.1 to 1:3.5.1-3.el9 across all architectures (aarch64, ppc64le, x86_64) Upgrade OpenSSH from 8.7p1-45.el9 to 8.7p1-46.el9 with updated checksums and sizes Upgrade jq from 1.6-17.el9_6.2 to 1.6-19.el9 with new checksums Upgrade less from 590-5.el9 to 590-6.el9 with updated package sizes and checksums Update all corresponding source RPM entries (SRPMS) with new versions and checksums +123/-123

---

[qodo-code-review]

PR Compliance Guide 🔍

(Compliance updated until commit eed6cbb)

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Missing Audit Logs: The script adds networked actions (git checkout, KO_DOCKER_REPO change, docker run) without introducing any logging of the actor, timestamp, or outcomes for audit purposes. Referred Code git checkout v0.7.22 ./hack/setup-kind.sh export KO_DOCKER_REPO='registry.local:5001/sigstore' ./hack/setup-scaffolding.sh # Setup the dummy OIDC issuer LDFLAGS='' ko apply -BRf ./testdata/config/gettoken ... (clipped 88 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Weak Error Handling: Newly added commands (git checkout, environment changes, docker run) lack explicit error checks or retries, risking silent failures in CI. Referred Code git checkout v0.7.22 ./hack/setup-kind.sh export KO_DOCKER_REPO='registry.local:5001/sigstore' ./hack/setup-scaffolding.sh # Setup the dummy OIDC issuer LDFLAGS='' ko apply -BRf ./testdata/config/gettoken ... (clipped 88 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Unvalidated Inputs: The script invokes external tools and registries with values derived from environment and network without added validation or sanitization in the new lines (e.g., KO_DOCKER_REPO, docker image tag). Referred Code export KO_DOCKER_REPO='registry.local:5001/sigstore' ./hack/setup-scaffolding.sh # Setup the dummy OIDC issuer LDFLAGS='' ko apply -BRf ./testdata/config/gettoken ... (clipped 86 lines) Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

---

Previous compliance checks

Compliance check up to commit 1cb521e

Security Compliance
⚪	Ambiguous image tag Description: The image is pinned to a specific digest but still references the 'latest' tag, which could cause confusion and policy violations where untagged floating tags are disallowed; prefer using only the registry path with digest (without 'latest') to avoid ambiguity. Dockerfile [44-44] Referred Code FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:2ddd6e10383981c7d10e4966a7c0edce7159f8ca91b1691cafabc78bae79d8f8
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: No audit logs: The PR only updates base image digests and RPM lock entries without introducing or modifying any application logic, so it neither adds nor removes audit logging for critical actions based on the visible changes. Referred Code FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:2ddd6e10383981c7d10e4966a7c0edce7159f8ca91b1691cafabc78bae79d8f8 Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: No error paths: The changes only bump the base image and RPM versions and do not introduce executable logic where error handling could be assessed. Referred Code FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:2ddd6e10383981c7d10e4966a7c0edce7159f8ca91b1691cafabc78bae79d8f8 Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Not applicable: No user-facing error handling behavior is modified or added in this PR; only base image references are updated. Referred Code FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:2ddd6e10383981c7d10e4966a7c0edce7159f8ca91b1691cafabc78bae79d8f8 Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: No input changed: The PR updates base image and package versions but does not add code paths handling external inputs, so validation and sanitization cannot be evaluated from the diff alone. Referred Code sourcerpm: expat-2.5.0-5.el9_6.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/g/gzip-1.12-1.el9.x86_64.rpm repoid: ubi-9-for-x86_64-baseos-rpms size: 171206 checksum: sha256:c8b3e0414d55b1eedb0185a564ac6cb2368bee2fd5f995447d045f6a714488ac name: gzip evr: 1.12-1.el9 sourcerpm: gzip-1.12-1.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/j/jq-1.6-19.el9.x86_64.rpm repoid: ubi-9-for-x86_64-baseos-rpms size: 191662 checksum: sha256:6b4d82714813d7b4a3200bf2856a3c1493d186e9caa916d7a700ec25e4996462 name: jq evr: 1.6-19.el9 sourcerpm: jq-1.6-19.el9.src.rpm Learn more about managing compliance generic rules or creating your own custom rules

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
General	Use a specific image tag instead of 'latest' In Dockerfile and Dockerfile.dist, replace the :latest base image tag with a specific version tag (e.g., :9.4) to improve clarity and build reproducibility. Dockerfile [44] -FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:2ddd6e10383981c7d10e4966a7c0edce7159f8ca91b1691cafabc78bae79d8f8 +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4@sha256:2ddd6e10383981c7d10e4966a7c0edce7159f8ca91b1691cafabc78bae79d8f8 Apply / Chat Suggestion importance[1-10]: 5 __ Why: The suggestion correctly recommends replacing the :latest tag with a specific version for better clarity and reproducibility, which is a Docker best practice.	Low
Update

[simonbaird]

I don't want to remove the :latest tag. See explanation in commit a5bd9ee .

The reasoning behind switching to the :latest tag, is that
ubi-minimal is single stream, so as soon as :9.6 is pushed, there
are no more updates to :9.5.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
generative	74.11% <ø> (+2.00%)	⬆️
integration	74.11% <ø> (+2.00%)	⬆️
unit	74.11% <ø> (+2.00%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 83 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[simonbaird]

Last revision includes an upgraded build-oci-ta task to avoid a Conforma violation.

[simonbaird]

There was one last commit needed to update the test image and wiremocks etc, similar to #3023. I might have cherry picked that from main branch, but the conflicts in the snapshot data seemed difficult, so I used the script to recreate it in the release-v0.5 branch.