Include RPM metadata in images built from UBI

[wedaly]

Expected Behavior

Some security scanners like trivy rely on deb/rpm package metadata. Images built from registry.access.redhat.com/ubi8/ubi-minimal should copy the RPM package metadata so security scanners report accurate results.

Current Behavior

The Calico images do not copy RPM metadata from the base image, so some security scanners do not accurately report CVEs.

Possible Solution

This is how distroless-iptables copies the deb pkg metadata: https://github.com/kubernetes/release/blob/dbe1d9b0f7828726d69faacb2da4a832b66803c4/images/build/distroless-iptables/distroless/package-utils.sh#L45-L54

Suggest that Calico does something similar for RPM packages.

Steps to Reproduce (for bugs)

docker run aquasec/trivy image registry.access.redhat.com/ubi8/ubi-minimal:8.7
docker run aquasec/trivy image calico/typha:v3.24.6

The second command should report the vulnerabilities from the base image, but it currently doesn't.

Context

AKS has gotten reports from customers about CVEs in Calico images that do not appear in trivy results.

I believe the same issue occurs for the tigera/operator image.

Your Environment

• Calico version v3.24.6
• Orchestrator version (e.g. kubernetes, mesos, rkt): kubernetes
• Operating System and version: Linux
• Link to your project (optional): AKS

[wedaly]

related: https://github.com/projectcalico/calico/issues/8050

[Behnam-Shobiri]

@wedaly Thanks for reporting this. I noticed that the Calico version is old (3.24), as mentioned in https://github.com/projectcalico/calico/issues/8050#issuecomment-1745350468 both the latest patches of 3.25 and 3.26 are using UBI 8.8. We strongly encourage everyone to use the latest release to get the security updates.

[wedaly]

Closing based on https://github.com/projectcalico/calico/pull/8119#issuecomment-1811283105