Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-9162

Fix CVE's which are failing EC.

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Critical Critical
    • Pipelines 1.20.1
    • Pipelines 1.20.1
    • p12n
    • None
    • Pipelines Sprint Pioneers 40

      There are EC failures while building the console plugin image and the failure are due to CVE blockers. These needs to be addressed.

      CVE-2025-6020 and  CVE-2025-8941

      [Violation] cve.cve_blockers
        ImageRef: quay.io/redhat-user-workloads/tekton-ecosystem-tenant/1-20/console-plugin-rhel9@sha256:03c2d9367dad770152f23838e9f41e85fd97eec0a6b83139f46c3fe0074ccc3e
        Reason: Found "CVE-2025-6020" vulnerability of high security level
        Term: CVE-2025-6020
        Title: Blocking CVE check
        Description: The SLSA Provenance attestation for the image is inspected to ensure CVEs that have a known fix and meet a certain
        security level have not been detected. If detected, this policy rule will fail. By default, only CVEs of critical and high
        security level cause a failure. This is configurable by the rule data key `restrict_cve_security_levels`. The available levels
        are critical, high, medium, low, and unknown. In addition to that leeway can be granted per severity using the `cve_leeway` rule
        data key containing days of allowed leeway, measured as time between found vulnerability's public disclosure date and current
        effective time, per severity level. To exclude this rule add "cve.cve_blockers:CVE-2025-6020" to the `exclude` section of the
        policy configuration.
        Solution: Make sure to address any CVE's related to the image.

      [Violation] cve.cve_blockers
        ImageRef: quay.io/redhat-user-workloads/tekton-ecosystem-tenant/1-20/console-plugin-rhel9@sha256:03c2d9367dad770152f23838e9f41e85fd97eec0a6b83139f46c3fe0074ccc3e
        Reason: Found "CVE-2025-8941" vulnerability of high security level
        Term: CVE-2025-8941
        Title: Blocking CVE check
        Description: The SLSA Provenance attestation for the image is inspected to ensure CVEs that have a known fix and meet a certain
        security level have not been detected. If detected, this policy rule will fail. By default, only CVEs of critical and high
        security level cause a failure. This is configurable by the rule data key `restrict_cve_security_levels`. The available levels
        are critical, high, medium, low, and unknown. In addition to that leeway can be granted per severity using the `cve_leeway` rule
        data key containing days of allowed leeway, measured as time between found vulnerability's public disclosure date and current
        effective time, per severity level. To exclude this rule add "cve.cve_blockers:CVE-2025-8941" to the `exclude` section of the
        policy configuration.
        Solution: Make sure to address any CVE's related to the image.

        1. openshift-pipelines-core-1-20-enterprise-contract-4r84g-verify.log
          411 kB

              rh-ee-apalit Anwesha Palit
              rh-ee-pbheeman Pavan Mandayam Bheeman
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: