From 90325628f7f9389f2c15d19a646fb6cfac6cfd8b Mon Sep 17 00:00:00 2001
From: Misha Sugakov <msugakov@redhat.com>
Date: Mon, 13 Oct 2025 14:34:48 +0200
Subject: [PATCH 1/4] Update `name` labels

as proposed in https://github.com/stackrox/scanner/pull/2148
---
 image/db/rhel/konflux.Dockerfile      | 4 ++--
 image/scanner/rhel/konflux.Dockerfile | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/image/db/rhel/konflux.Dockerfile b/image/db/rhel/konflux.Dockerfile
index 8469e6e87..2ae9be3d1 100644
--- a/image/db/rhel/konflux.Dockerfile
+++ b/image/db/rhel/konflux.Dockerfile
@@ -57,7 +57,7 @@ FROM scanner-db-common AS scanner-db-slim
 LABEL \
     com.redhat.component="rhacs-scanner-db-slim-container" \
     io.k8s.display-name="scanner-db-slim" \
-    name="rhacs-scanner-db-slim-rhel8"
+    name="advanced-cluster-security/rhacs-scanner-db-slim-rhel8"
 
 ENV ROX_SLIM_MODE="true"
 
@@ -67,7 +67,7 @@ FROM scanner-db-common AS scanner-db
 LABEL \
     com.redhat.component="rhacs-scanner-db-container" \
     io.k8s.display-name="scanner-db" \
-    name="rhacs-scanner-db-rhel8"
+    name="advanced-cluster-security/rhacs-scanner-db-rhel8"
 
 COPY --chown=0:0 .konflux/scanner-data/blob-pg-definitions.sql.gz \
      /docker-entrypoint-initdb.d/definitions.sql.gz
diff --git a/image/scanner/rhel/konflux.Dockerfile b/image/scanner/rhel/konflux.Dockerfile
index bc16aaeee..a2b6e97b8 100644
--- a/image/scanner/rhel/konflux.Dockerfile
+++ b/image/scanner/rhel/konflux.Dockerfile
@@ -85,7 +85,7 @@ FROM scanner-common AS scanner-slim
 LABEL \
     com.redhat.component="rhacs-scanner-slim-container" \
     io.k8s.display-name="scanner-slim" \
-    name="rhacs-scanner-slim-rhel8"
+    name="advanced-cluster-security/rhacs-scanner-slim-rhel8"
 
 ENV ROX_SLIM_MODE="true"
 
@@ -96,7 +96,7 @@ FROM scanner-common AS scanner
 LABEL \
     com.redhat.component="rhacs-scanner-container" \
     io.k8s.display-name="scanner" \
-    name="rhacs-scanner-rhel8"
+    name="advanced-cluster-security/rhacs-scanner-rhel8"
 
 ENV NVD_DEFINITIONS_DIR="/nvd_definitions"
 ENV K8S_DEFINITIONS_DIR="/k8s_definitions"

From 3b2de5531d729646a95323521a15b7f6422e30d2 Mon Sep 17 00:00:00 2001
From: Misha Sugakov <msugakov@redhat.com>
Date: Mon, 13 Oct 2025 16:37:11 +0200
Subject: [PATCH 2/4] Apply `cpe` label

I wired it through pipeline files and not dockerfiles because when
changing app, component and serviceaccount suffixes, it can also be
noticed and modified in the same place rather than chasing
konflux.Dockerfiles.
---
 .tekton/scanner-build.yaml              |  4 ++++
 .tekton/scanner-component-pipeline.yaml | 11 +++++++++++
 .tekton/scanner-db-build.yaml           |  4 ++++
 .tekton/scanner-db-slim-build.yaml      |  4 ++++
 .tekton/scanner-slim-build.yaml         |  4 ++++
 5 files changed, 27 insertions(+)

diff --git a/.tekton/scanner-build.yaml b/.tekton/scanner-build.yaml
index 8e13de444..e97308b3a 100644
--- a/.tekton/scanner-build.yaml
+++ b/.tekton/scanner-build.yaml
@@ -53,6 +53,10 @@ spec:
     value: 'true'
   - name: blobs-to-fetch
     value: [ 'nvd-definitions.zip', 'k8s-definitions.zip', 'repo2cpe.zip', 'genesis_manifests.json' ]
+  - name: extra-labels
+    value:
+    # X.Y in the cpe label must be adjusted for every version stream.
+    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
 
   workspaces:
   - name: git-auth
diff --git a/.tekton/scanner-component-pipeline.yaml b/.tekton/scanner-component-pipeline.yaml
index 697d7591d..c755e5343 100644
--- a/.tekton/scanner-component-pipeline.yaml
+++ b/.tekton/scanner-component-pipeline.yaml
@@ -120,6 +120,9 @@ spec:
     default: docker
     type: string
     description: The format for the resulting image's mediaType. Valid values are oci or docker.
+  - name: extra-labels
+    type: array
+    description: Additional labels to put on the built containers.
   results:
   - description: ""
     name: IMAGE_URL
@@ -293,6 +296,8 @@ spec:
       value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
     - name: BUILDAH_FORMAT
       value: $(params.buildah-format)
+    - name: LABELS
+      value: ["$(params.extra-labels[*])"]
     taskRef:
       params:
       - name: name
@@ -333,6 +338,8 @@ spec:
       value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
     - name: PLATFORM
       value: linux/s390x
+    - name: LABELS
+      value: ["$(params.extra-labels[*])"]
     taskRef:
       params:
       - name: name
@@ -373,6 +380,8 @@ spec:
       value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
     - name: PLATFORM
       value: linux/ppc64le
+    - name: LABELS
+      value: ["$(params.extra-labels[*])"]
     taskRef:
       params:
       - name: name
@@ -413,6 +422,8 @@ spec:
       value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
     - name: PLATFORM
       value: linux/arm64
+    - name: LABELS
+      value: ["$(params.extra-labels[*])"]
     taskRef:
       params:
       - name: name
diff --git a/.tekton/scanner-db-build.yaml b/.tekton/scanner-db-build.yaml
index ea43f6c7b..c386ed7df 100644
--- a/.tekton/scanner-db-build.yaml
+++ b/.tekton/scanner-db-build.yaml
@@ -50,6 +50,10 @@ spec:
     value: 'true'
   - name: blobs-to-fetch
     value: [ 'pg-definitions.sql.gz' ]
+  - name: extra-labels
+    value:
+    # X.Y in the cpe label must be adjusted for every version stream.
+    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
 
   workspaces:
   - name: git-auth
diff --git a/.tekton/scanner-db-slim-build.yaml b/.tekton/scanner-db-slim-build.yaml
index 3fd222eae..0d1d09c04 100644
--- a/.tekton/scanner-db-slim-build.yaml
+++ b/.tekton/scanner-db-slim-build.yaml
@@ -50,6 +50,10 @@ spec:
     value: 'true'
   - name: blobs-to-fetch
     value: [ ]
+  - name: extra-labels
+    value:
+    # X.Y in the cpe label must be adjusted for every version stream.
+    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
 
   workspaces:
   - name: git-auth
diff --git a/.tekton/scanner-slim-build.yaml b/.tekton/scanner-slim-build.yaml
index e486fd645..32eac14b8 100644
--- a/.tekton/scanner-slim-build.yaml
+++ b/.tekton/scanner-slim-build.yaml
@@ -53,6 +53,10 @@ spec:
     value: 'true'
   - name: blobs-to-fetch
     value: [ 'nvd-definitions.zip', 'k8s-definitions.zip', 'repo2cpe.zip', 'genesis_manifests.json' ]
+  - name: extra-labels
+    value:
+    # X.Y in the cpe label must be adjusted for every version stream.
+    - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el8"
 
   workspaces:
   - name: git-auth

From 8e2f241110997344cb19a392043f07355ac72462 Mon Sep 17 00:00:00 2001
From: Misha Sugakov <msugakov@redhat.com>
Date: Tue, 14 Oct 2025 12:50:02 +0200
Subject: [PATCH 3/4] Populate `org.opencontainers.image.created` label

via `BUILD_TIMESTAMP` param.
The label is currently highlighted as a warning by Conforma.
---
 .tekton/scanner-component-pipeline.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.tekton/scanner-component-pipeline.yaml b/.tekton/scanner-component-pipeline.yaml
index c755e5343..a23b164d4 100644
--- a/.tekton/scanner-component-pipeline.yaml
+++ b/.tekton/scanner-component-pipeline.yaml
@@ -298,6 +298,8 @@ spec:
       value: $(params.buildah-format)
     - name: LABELS
       value: ["$(params.extra-labels[*])"]
+    - name: BUILD_TIMESTAMP
+      value: "$(tasks.clone-repository.results.commit-timestamp)"
     taskRef:
       params:
       - name: name
@@ -340,6 +342,8 @@ spec:
       value: linux/s390x
     - name: LABELS
       value: ["$(params.extra-labels[*])"]
+    - name: BUILD_TIMESTAMP
+      value: "$(tasks.clone-repository.results.commit-timestamp)"
     taskRef:
       params:
       - name: name
@@ -382,6 +386,8 @@ spec:
       value: linux/ppc64le
     - name: LABELS
       value: ["$(params.extra-labels[*])"]
+    - name: BUILD_TIMESTAMP
+      value: "$(tasks.clone-repository.results.commit-timestamp)"
     taskRef:
       params:
       - name: name
@@ -424,6 +430,8 @@ spec:
       value: linux/arm64
     - name: LABELS
       value: ["$(params.extra-labels[*])"]
+    - name: BUILD_TIMESTAMP
+      value: "$(tasks.clone-repository.results.commit-timestamp)"
     taskRef:
       params:
       - name: name

From 85c1a10c2f7134d9fa4c1260618a112404250428 Mon Sep 17 00:00:00 2001
From: Misha Sugakov <msugakov@redhat.com>
Date: Tue, 14 Oct 2025 12:51:33 +0200
Subject: [PATCH 4/4] Populate `BUILDAH_FORMAT` where missing

See https://redhat-internal.slack.com/archives/C04PZ7H0VA8/p1760438547286539?thread_ts=1758912510.784729&cid=C04PZ7H0VA8
This is part of https://issues.redhat.com/browse/ROX-31049
---
 .tekton/scanner-component-pipeline.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.tekton/scanner-component-pipeline.yaml b/.tekton/scanner-component-pipeline.yaml
index a23b164d4..22a002c1b 100644
--- a/.tekton/scanner-component-pipeline.yaml
+++ b/.tekton/scanner-component-pipeline.yaml
@@ -340,6 +340,8 @@ spec:
       value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
     - name: PLATFORM
       value: linux/s390x
+    - name: BUILDAH_FORMAT
+      value: $(params.buildah-format)
     - name: LABELS
       value: ["$(params.extra-labels[*])"]
     - name: BUILD_TIMESTAMP
@@ -384,6 +386,8 @@ spec:
       value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
     - name: PLATFORM
       value: linux/ppc64le
+    - name: BUILDAH_FORMAT
+      value: $(params.buildah-format)
     - name: LABELS
       value: ["$(params.extra-labels[*])"]
     - name: BUILD_TIMESTAMP
@@ -428,6 +432,8 @@ spec:
       value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
     - name: PLATFORM
       value: linux/arm64
+    - name: BUILDAH_FORMAT
+      value: $(params.buildah-format)
     - name: LABELS
       value: ["$(params.extra-labels[*])"]
     - name: BUILD_TIMESTAMP