Our base image includes the rpm database (of course), but not any additional metadata. In particular we don't build the image via dnf today, so the dnf database is not included.

Historically the pre-Konflux build system gathered and injected some ad hoc metadata in /root/buildinfo that includes things like repository identifiers that are important for determining CVE state.

This issue is basically:

• Clair should be able to report vulnerabilities in our image
• We should aim to ensure UBI is fixed, and also match that

This issue also relates to us having a custom rpm-ostree task and not the buildah task.

—

Current plan: Land https://issues.redhat.com/browse/BIFROST-408 and hope that we get the new /root/buildinfo metadata

Then decide whether we live with that (ugh) or add a patch to konflux to write it to /usr/share instead, and use that.