Merge pull request #1684 from snyk/CN-1326-bump-skopeo-grpc

parker-snyk · web-flow · commit 4b179072a46a · 2026-05-20T09:57:06.000-04:00
fix(deps): bump skopeo 1.22.0 → 1.22.2 in UBI9 image to resolve gRPC CVE
diff --git a/.snyk b/.snyk
@@ -2,14 +2,6 @@
 version: v1.25.1
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
 ignore:
-  SNYK-GOLANG-GOOGLEGOLANGORGGRPC-15691172:
-    - '*':
-        reason: >-
-          Container scan: skopeo binary embeds google.golang.org/grpc until
-          distro package provides fix (>= 1.79.3). Not network-exposed as a
-          gRPC server in this image. Re-check when skopeo/apk updates.
-        expires: 2026-07-21T12:00:00.000Z
-        created: 2026-03-24T12:00:00.000Z
   SNYK-RHEL9-GNUPG2-15127565:
     - '*':
         reason: >-
@@ -26,11 +18,6 @@ ignore:
           https://access.redhat.com/security/cve/CVE-2026-24882
         expires: 2026-11-14T12:00:00.000Z
         created: 2026-01-28T21:21:43.745Z
-  SNYK-RHEL9-VIMMINIMAL-15796062:
-    - '*':
-        reason: UBI 9 base image; no fix in Red Hat channels yet. Re-verify after dnf upgrade.
-        expires: 2026-05-07T12:00:00.000Z
-        created: 2026-03-30T12:00:00.000Z
   SNYK-RHEL9-VIMMINIMAL-15884750:
     - '*':
         reason: >-
@@ -39,41 +26,6 @@ ignore:
           https://access.redhat.com/security/cve/CVE-2026-34714
         expires: 2026-11-14T12:00:00.000Z
         created: 2026-04-07T12:00:00.000Z
-  SNYK-RHEL9-GLIBCMINIMALLANGPACK-15885179:
-    - '*':
-        reason: UBI 9 base image; no fix in Red Hat channels yet. Re-verify after dnf upgrade.
-        expires: 2026-04-23T12:00:00.000Z
-        created: 2026-04-07T12:00:00.000Z
-  SNYK-RHEL9-GLIBCCOMMON-15884768:
-    - '*':
-        reason: UBI 9 base image; no fix in Red Hat channels yet. Re-verify after dnf upgrade.
-        expires: 2026-04-23T12:00:00.000Z
-        created: 2026-04-07T12:00:00.000Z
-  SNYK-RHEL9-GLIBC-15884867:
-    - '*':
-        reason: UBI 9 base image; no fix in Red Hat channels yet. Re-verify after dnf upgrade.
-        expires: 2026-04-23T12:00:00.000Z
-        created: 2026-04-07T12:00:00.000Z
-  SNYK-RHEL9-LIBARCHIVE-15747822:
-    - '*':
-        reason: UBI 9 base image; no fix in Red Hat channels yet. Re-verify after dnf upgrade.
-        expires: 2026-04-23T12:00:00.000Z
-        created: 2026-03-24T12:00:00.000Z
-  SNYK-RHEL9-LIBNGHTTP2-15748803:
-    - '*':
-        reason: UBI 9 base image; no fix in Red Hat channels yet. Re-verify after dnf upgrade.
-        expires: 2026-04-23T12:00:00.000Z
-        created: 2026-03-24T12:00:00.000Z
-  SNYK-RHEL9-PYTHON3-15760267:
-    - '*':
-        reason: UBI 9 base image; no fix in Red Hat channels yet. Re-verify after dnf upgrade.
-        expires: 2026-04-23T12:00:00.000Z
-        created: 2026-03-24T12:00:00.000Z
-  SNYK-RHEL9-PYTHON3LIBS-15760285:
-    - '*':
-        reason: UBI 9 base image; no fix in Red Hat channels yet. Re-verify after dnf upgrade.
-        expires: 2026-04-23T12:00:00.000Z
-        created: 2026-03-24T12:00:00.000Z
   SNYK-RHEL9-PYTHON3PIPWHEEL-14916305:
     - '*':
         reason: >-
@@ -117,40 +69,4 @@ ignore:
           https://access.redhat.com/security/cve/CVE-2026-24842
         expires: 2026-11-14T12:00:00.000Z
         created: 2026-01-29T16:33:39.950Z
-  SNYK-JS-TAR-15307072:
-    - '*':
-        reason: >-
-          Global npm in image bundles tar via cacache; no patched path until
-          npm/apk update. Re-verify on image refresh.
-        expires: 2026-04-23T12:00:00.000Z
-        created: 2026-03-24T12:00:00.000Z
-  SNYK-JS-TAR-15416075:
-    - '*':
-        reason: >-
-          Global npm in image bundles tar via cacache; no patched path until
-          npm/apk update. Re-verify on image refresh.
-        expires: 2026-04-23T12:00:00.000Z
-        created: 2026-03-24T12:00:00.000Z
-  SNYK-JS-TAR-15456201:
-    - '*':
-        reason: >-
-          Global npm in image bundles tar via cacache; no patched path until
-          npm/apk update. Re-verify on image refresh.
-        expires: 2026-04-23T12:00:00.000Z
-        created: 2026-03-24T12:00:00.000Z
-  SNYK-JS-INFLIGHT-6095116:
-    - '*':
-        reason: "No non-major fix available as of 2026-05-19; revisit in 7 days"
-        expires: '2026-05-26T00:00:00.000Z'
-        created: '2026-05-19T00:00:00.000Z'
-  SNYK-JS-REQUEST-3361831:
-    - '*':
-        reason: "No fix available as of 2026-05-19; request package is deprecated and unmaintained; revisit in 7 days"
-        expires: '2026-05-26T00:00:00.000Z'
-        created: '2026-05-19T00:00:00.000Z'
-  SNYK-JS-UUID-16133035:
-    - '*':
-        reason: "No non-major fix available as of 2026-05-19; fixedIn versions 11.1.1 and 14.0.0 are major bumps from v3; revisit in 7 days"
-        expires: '2026-05-26T00:00:00.000Z'
-        created: '2026-05-19T00:00:00.000Z'
 patch: {}
diff --git a/Dockerfile.ubi9 b/Dockerfile.ubi9
@@ -52,8 +52,8 @@ ARG NODE_LATEST_VERSION_TAR_GZ_FILE_SHASUM256
 ARG DUMB_INIT_VERSION=1.2.5
 ARG DUMB_INIT_BINARY_FILE_SHASUM256=e874b55f3279ca41415d290c512a7ba9d08f98041b28ae7c2acb19a545f1c4df
 # https://github.com/lework/skopeo-binary/releases
-ARG SKOPEO_VERSION=1.22.0
-ARG SKOPEO_BINARY_FILE_SHASUM256=397708bef1afa0defdc041bb0d3684570d97135076370257438c871600c1c587
+ARG SKOPEO_VERSION=1.22.2
+ARG SKOPEO_BINARY_FILE_SHASUM256=e8036120a1866bf5daad6ae0dce74907a513ff55b21fc0a52ba0ce7d650cc485
 
 LABEL name="Snyk Controller" \
     maintainer="support@snyk.io" \
