From 7d46d3841dfcb922ec62b340a665ee4f0cf7a9dc Mon Sep 17 00:00:00 2001
From: Vault Automation <github-team-secure-vault-core@hashicorp.com>
Date: Wed, 17 Dec 2025 13:51:28 -0700
Subject: [PATCH] security: handle false positive OSV vulns in UBI images
 (#11436) (#11441) (#11447)

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
---
 .release/security-scan.hcl | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl
index c80ea968d2..e9de3804b7 100644
--- a/.release/security-scan.hcl
+++ b/.release/security-scan.hcl
@@ -32,6 +32,17 @@ container {
         "CVE-2024-58251",
         "GO-2022-0635", // github.com/aws/aws-sdk-go@v1.x
       ]
+
+      // The OSV scanner will trip on several packages that are included in the
+      // the UBI images. This is due to RHEL using the same base version in the
+      // package name for the life of the distro regardless of whether or not
+      // that version has been patched for security. Rather than enumate ever
+      // single CVE that the OSV scanner will find (several tens) we'll ignore
+      // the base UBI packages.
+      paths = [
+        "usr/lib/sysimage/rpm/*",
+        "var/lib/rpm/*",
+      ]
     }
   }
 }