I wanted to verify is the small matter of the fact that the images in errata are for 4 cases different from those in Quay

specifically: server, java11, kube, and openshift images were respun by Freshmaker but NOT also pushed to Quay

codeready-workspaces-server-rhel8-container-2.2-13.1593144446
codeready-workspaces-plugin-java11-rhel8-container-2.2-9.1593143007
codeready-workspaces-plugin-kubernetes-rhel8-container-2.2-11.1593143021
codeready-workspaces-plugin-openshift-rhel8-container-2.2-7.1593143018
codeready-workspaces-stacks-dotnet-rhel8-container-2.2-2.1593124851 (already in Quay)

My concern is that we might have invalid metadata in the operator-metadata image in osbs and in RHCC stage.

And it looks like we do. latest in both registry-proxy.engineering.redhat.com/rh-osbs/codeready-workspaces-operator-metadata:2.2-49 (and 2.2-50) and quay.io/crw/crw-2-rhel8-operator-metadata:2.2-49 (and 2.2-50) all point at the un-cve-fixed images, eg.,

checking the digest to tag mapping for plugin-java-11... it's the same as

$➔ skopeo inspect docker:// quay.io/crw/plugin-java11-rhel8:2.2-9 | jq -r '.Digest'
sha256:8b6a89e4c7bb16d764767fc494a28735b0b9c05b50277e7f46fc55e0bcda8258

but:

$➔ skopeo inspect docker:// registry-proxy.engineering.redhat.com/rh-osbs/codeready-workspaces-plugin-java11-rhel8:2.2-9.1593143007 | jq -r '.Digest'
sha256:00f5031b5b1adab0ba29a5b993773f15fb2b7dbef25d62d326e99cb4c7d12f20

So the operator metadata refers to images that are no longer in the errata because Freshmaker replaced them.