From the larger list in https://issues.redhat.com/browse/ACM-25080 , here is what we need to address, I have split the issues into sections based on how they might be resolved.

Base Image Updates

These should all be resolved by updating the ubi image in the components, and "rebuilding" the containers. We should assume all of our images need this.

libxml2: CVE-2025-7425, CVE-2025-32414, CVE-2025-32415
glibc: CVE-2025-8058
sqlite: CVE-2025-6965
gnutls: CVE-2025-32988, CVE-2025-32989, CVE-2025-32990, CVE-2025-6395
glib2: CVE-2024-52533, CVE-2025-4373
libarchive: CVE-2025-5914
ncurses: CVE-2022-29458 

golang.org/x/net

Affects:, acm-governance-policy-addon-controller-rhel9, acm-governance-policy-framework-addon-rhel9, governance-policy-propagator-rhel9

CVE-2025-22870 requires 0.36.0+
CVE-2025-22872 requires 0.38.0+ 

It doesn't seem like we're vulnerable to these, but if we can update to silence the scanners anyway, that would be nice.

helm.sh/helm/v3

Affects: acm-governance-policy-addon-controller-rhel9

CVE-2025-55198 requires 3.18.5+
CVE-2025-55199 requires 3.18.5+
CVE-2025-32386 requires 3.17.3+
CVE-2025-32387 requires 3.17.3+
CVE-2025-53547 requires 3.17.4+ or 3.18.4+ 

We likely aren't actually vulnerable to these, because they require specially crafted files which we do not allow user input for. But we should look into updating anyway, to silence the scanners.

github.com/grpc/grpc-go

Affects: acm-governance-policy-addon-controller-rhel9

GHSA-xr7q-jx4m-x55m requires 1.64.1+ 

github.com/kubernetes/kubernetes and k8s.io/client-go

Affects: governance-policy-propagator-rhel9

CVE-2020-8565 requires client-go 0.20.0+ and kubernetes 1.20.0+
CVE-2019-11250 requires client-go 0.17.0+ and kubernetes 1.16.0+ 

These are likely being flagged because the propagator is using k8s.io/client-go v0.0.0-20240815135022-d63a65fbe7d4, an odd intermediate version with a specific change we needed for a feature. We may be able to update the dependency to a more usual version.