Skip to content

LCORE-1435: Vulnerabilities found in Konflux pipeline - main branch patch#1931

Draft
Jazzcort wants to merge 1 commit into
lightspeed-core:mainfrom
Jazzcort:update-rhai-base-image-with-better-grade
Draft

LCORE-1435: Vulnerabilities found in Konflux pipeline - main branch patch#1931
Jazzcort wants to merge 1 commit into
lightspeed-core:mainfrom
Jazzcort:update-rhai-base-image-with-better-grade

Conversation

@Jazzcort

@Jazzcort Jazzcort commented Jun 15, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown

Description

This patch is a copy of this patch #1923 but to our main branch. Thanks @syedriko for the guidance on this one!

The changes:

  1. Switch builder and runtime base images from registry.redhat.io/rhai/base-image-cpu-rhel9:3.2 to quay.io/aipcc/base-images/cpu:3.3.2-1780599114
  2. Remove gcc-c++ and libstdc++-devel RPM entries from the lock file for both aarch64 and x86_64

Type of change

  • Refactor
  • New feature
  • Bug fix
  • CVE fix
  • Optimization
  • Documentation Update
  • Configuration Update
  • Bump-up service version
  • Bump-up dependent library
  • Bump-up library or tool used for development (does not change the final image)
  • CI configuration change
  • Konflux configuration change
  • Unit tests improvement
  • Integration tests improvement
  • End to end tests improvement
  • Benchmarks improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

  • Assisted-by: (e.g., Claude, CodeRabbit, Ollama, etc., N/A if not used)
  • Generated by: (e.g., tool name and version; N/A if not used)

Related Tickets & Documents

LCORE-1435

Checklist before requesting a review

  • I have performed a self-review of my code.
  • PR has passed all pre-merge test jobs.
  • If it is a core feature, I have added thorough tests.

Testing

Check Konflux console, those vulnerability warnings should go away.

Summary by CodeRabbit

  • Chores
    • Updated base container images to the latest stable versions with enhanced security patches, critical bug fixes, and performance improvements, ensuring better compatibility and overall stability across all supported architectures.
    • Removed unnecessary C++ development dependencies and compilation tools from the build configuration, optimizing the build environment for improved efficiency and reduced resource consumption.

@Jazzcort
Update RHAI base image to quay.io/aipcc cpu:3.3.2
d5b81b4 
The changes:
1. Switch builder and runtime base images from
   registry.redhat.io/rhai/base-image-cpu-rhel9:3.2 to
   quay.io/aipcc/base-images/cpu:3.3.2-1780599114
2. Remove gcc-c++ and libstdc++-devel RPM entries from the lock
   file for both aarch64 and x86_64
@Jazzcort Jazzcort changed the title RCORUpdate RHAI base image to quay.io/aipcc cpu:3.3.2 LCORE-1435: Vulnerabilities found in Konflux pipeline - main branch patch Jun 15, 2026
@coderabbitai

coderabbitai Bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: e6ab4da9-b954-4966-91f0-ae1a70a6604e

📥 Commits

Reviewing files that changed from the base of the PR and between f1ccb35 and d5b81b4.

📒 Files selected for processing (2)
  • .konflux/build-args-konflux.conf
  • .konflux/rpms.lock.yaml
💤 Files with no reviewable changes (1)
  • .konflux/rpms.lock.yaml
📜 Recent review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)
  • GitHub Check: E2E: server mode / ci / group 3
  • GitHub Check: E2E: library mode / ci / group 2
  • GitHub Check: E2E: server mode / ci / group 1
  • GitHub Check: E2E: server mode / ci / group 2
  • GitHub Check: E2E: library mode / ci / group 1
  • GitHub Check: E2E Tests for Lightspeed Evaluation job
  • GitHub Check: E2E: library mode / ci / group 3
🔇 Additional comments (1)
.konflux/build-args-konflux.conf (1)

1-1: The registry migration to quay.io/aipcc is documented and intentional, but additional verification of supply-chain provenance is warranted.

This PR migrates from the official Red Hat registry (registry.redhat.io/rhai/base-image-cpu-rhel9:3.2) to quay.io/aipcc/base-images/cpu:3.3.2-1780599114. The migration is tracked in git (commit d5b81b4) and the RPM lockfile changes (removal of gcc-c++ and libstdc++-devel) are explicitly documented in the commit message, confirming cross-file consistency.

However, the following remain unverified:

  1. AIPCC registry governance: While quay-aipcc credentials are configured in the CI/CD pipeline, public documentation is needed confirming who maintains this namespace and whether it's an official continuation of the RHAI project.
  2. Image provenance and signing: Confirm the new image includes supply-chain attestation (e.g., SLSA provenance, Sigstore signatures) to validate the CVE fix claim.
  3. Image authenticity: Verify the new image tag (3.3.2-1780599114) is accessible to authorized builds and has known provenance.

Ensure the CVE fixes claimed in the new image are documented and that the migration path from registry.redhat.io/rhai to quay.io/aipcc is covered by organizational security policies.

Walkthrough

The Konflux build configuration updates BUILDER_BASE_IMAGE and RUNTIME_BASE_IMAGE from registry.redhat.io/rhai/base-image-cpu-rhel9:3.2 to quay.io/aipcc/base-images/cpu:3.3.2-1780599114. The RPM lockfile removes gcc-c++ and libstdc++-devel entries for both aarch64 and x86_64 architectures.

Changes

Konflux base image bump and RPM lockfile cleanup

Layer / File(s) Summary
Base image tag update
.konflux/build-args-konflux.conf		 BUILDER_BASE_IMAGE and RUNTIME_BASE_IMAGE are updated from registry.redhat.io/rhai/base-image-cpu-rhel9:3.2 to quay.io/aipcc/base-images/cpu:3.3.2-1780599114.
RPM lockfile cleanup
.konflux/rpms.lock.yaml		 gcc-c++ and libstdc++-devel package entries are removed for both aarch64 and x86_64 architectures.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly identifies the main change: addressing vulnerabilities in the Konflux pipeline via a base image update, with specific reference to the ticket number LCORE-1435.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
✨ Simplify code
  • Create PR with simplified code

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@Jazzcort Jazzcort marked this pull request as draft June 15, 2026 14:54
@Jazzcort

Jazzcort commented Jun 15, 2026

Copy link
Copy Markdown
Author

After checking in with @syedriko, we should wait for the image update on registry.redhat.io instead of using image from quay.io which is a heck for an urgent release. 😁 I'll make this ready for review when they update the image on registry.redhat.io

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Jazzcort