Allow kernel command update in case of immutable os (#209)

Author: niket-intc

.github/workflows/pre-merge.yml

@@ -103,6 +103,7 @@ jobs:
       prefix_tag_separator: "/"
       project_folder: ${{ matrix.project_folder }}
       trivy_image_skip: "postgres:16.4"
+      trivy_config_path: '${{ matrix.project_folder }}/trivy.yaml'
     secrets:
       NO_AUTH_ECR_PUSH_USERNAME: ${{ secrets.NO_AUTH_ECR_PUSH_USERNAME }}
       NO_AUTH_ECR_PUSH_PASSWD: ${{ secrets.NO_AUTH_ECR_PUSH_PASSWD }}

host/.trivyignore

@@ -92,3 +92,14 @@ CVE-2023-5981
 CVE-2024-2236
 CVE-2023-4039
 CVE-2023-4039
+
+CVE-2025-47912
+CVE-2025-58183
+CVE-2025-58185
+CVE-2025-58186
+CVE-2025-58187
+CVE-2025-58188
+CVE-2025-58189
+CVE-2025-61723
+CVE-2025-61724
+CVE-2025-61725

host/trivy.yaml

@@ -0,0 +1,5 @@
+---
+# SPDX-FileCopyrightText: (C) 2025 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+ignorefile: host/.trivyignore

maintenance/.trivyignore

@@ -49,3 +49,14 @@ CVE-2024-2236
 CVE-2024-33600
 CVE-2024-33601
 CVE-2024-33602
+
+CVE-2025-47912
+CVE-2025-58183
+CVE-2025-58185
+CVE-2025-58186
+CVE-2025-58187
+CVE-2025-58188
+CVE-2025-58189
+CVE-2025-61723
+CVE-2025-61724
+CVE-2025-61725

maintenance/VERSION

@@ -1 +1 @@
-1.23.6-dev
+1.23.6

maintenance/pkg/maintmgr/grpc_server.go

@@ -182,6 +182,15 @@ func populateImmutableUpdateDetails(
 	policy *computev1.OSUpdatePolicyResource,
 	tenantID, profileName, guid string,
 ) error {
+	resp.UpdateSource.KernelCommand = policy.GetUpdateKernelCommand()
+
+	// If KernelCommand is set in the OSUpdatePolicy, skip fetching the OS resource
+	// as we will not update the OS in this case.
+	if resp.UpdateSource.KernelCommand != "" {
+		zlog.Debug().Msgf("Skipping OS resource fetch as KernelCommand is set in OSUpdatePolicy: tenantID=%s", tenantID)
+		return nil
+	}
+
 	osRes, err := getUpdateOS(ctx, invMgrCli.InvClient, tenantID, profileName, policy)
 	if err != nil {
 		zlog.InfraSec().InfraErr(err).Msgf("PlatformUpdateStatus: tenantID=%s, UUID=%s", tenantID, guid)

maintenance/trivy.yaml

@@ -0,0 +1,5 @@
+---
+# SPDX-FileCopyrightText: (C) 2025 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+ignorefile: maintenance/.trivyignore

networking/.trivyignore

@@ -48,4 +48,15 @@ CVE-2023-5981
 CVE-2024-2236
 CVE-2024-33600
 CVE-2024-33601
-CVE-2024-33602
+CVE-2024-33602
+
+CVE-2025-47912
+CVE-2025-58183
+CVE-2025-58185
+CVE-2025-58186
+CVE-2025-58187
+CVE-2025-58188
+CVE-2025-58189
+CVE-2025-61723
+CVE-2025-61724
+CVE-2025-61725

networking/VERSION

@@ -1 +1 @@
-1.19.1-dev
+1.19.1

networking/trivy.yaml

@@ -0,0 +1,5 @@
+---
+# SPDX-FileCopyrightText: (C) 2025 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+ignorefile: networking/.trivyignore