stackrox · charmik-redhat · Mar 13, 2026 · Mar 13, 2026
diff --git a/central/cve/fetcher/manager_impl_postgres_test.go b/central/cve/fetcher/manager_impl_postgres_test.go
@@ -17,6 +17,7 @@ import (
 	"github.com/stackrox/rox/central/cve/converter/v2"
 	"github.com/stackrox/rox/central/cve/matcher"
 	mockImageDataStore "github.com/stackrox/rox/central/image/datastore/mocks"
+	mockImageV2DataStore "github.com/stackrox/rox/central/imagev2/datastore/mocks"
 	mockNSDataStore "github.com/stackrox/rox/central/namespace/datastore/mocks"
 	"github.com/stackrox/rox/generated/storage"
 	"github.com/stackrox/rox/pkg/cve"
@@ -133,9 +134,10 @@ func TestReconcileIstioCVEsInPostgres(t *testing.T) {
 	mockClusters := mockClusterDataStore.NewMockDataStore(ctrl)
 	mockNamespaces := mockNSDataStore.NewMockDataStore(ctrl)
 	mockImages := mockImageDataStore.NewMockDataStore(ctrl)
+	mockImagesV2 := mockImageV2DataStore.NewMockDataStore(ctrl)
 	mockCVEs := mockCVEDataStore.NewMockDataStore(ctrl)
 
-	cveMatcher, err := matcher.NewCVEMatcher(mockClusters, mockNamespaces, mockImages)
+	cveMatcher, err := matcher.NewCVEMatcher(mockClusters, mockNamespaces, mockImages, mockImagesV2)
 	require.NoError(t, err)
 
 	cveManager := &orchestratorIstioCVEManagerImpl{
@@ -404,9 +406,10 @@ func TestReconcileCVEsInPostgres(t *testing.T) {
 	mockClusters := mockClusterDataStore.NewMockDataStore(ctrl)
 	mockNamespaces := mockNSDataStore.NewMockDataStore(ctrl)
 	mockImages := mockImageDataStore.NewMockDataStore(ctrl)
+	mockImagesV2 := mockImageV2DataStore.NewMockDataStore(ctrl)
 	mockCVEs := mockCVEDataStore.NewMockDataStore(ctrl)
 
-	cveMatcher, err := matcher.NewCVEMatcher(mockClusters, mockNamespaces, mockImages)
+	cveMatcher, err := matcher.NewCVEMatcher(mockClusters, mockNamespaces, mockImages, mockImagesV2)
 	require.NoError(t, err)
 
 	cveManager := &orchestratorIstioCVEManagerImpl{
@@ -436,6 +439,7 @@ type TestClusterCVEOpsInPostgresTestSuite struct {
 	clusterCVEDatastore clusterCVEDataStore.DataStore
 	mockNamespaces      *mockNSDataStore.MockDataStore
 	mockImages          *mockImageDataStore.MockDataStore
+	mockImagesV2        *mockImageV2DataStore.MockDataStore
 	cveManager          *orchestratorCVEManager
 }
 
@@ -447,6 +451,7 @@ func (s *TestClusterCVEOpsInPostgresTestSuite) SetupSuite() {
 	// Create cluster datastore
 	s.mockNamespaces = mockNSDataStore.NewMockDataStore(s.mockCtrl)
 	s.mockImages = mockImageDataStore.NewMockDataStore(s.mockCtrl)
+	s.mockImagesV2 = mockImageV2DataStore.NewMockDataStore(s.mockCtrl)
 
 	// Create cluster cve datastore
 	clusterCVEDatastore, err := clusterCVEDataStore.GetTestPostgresDataStore(s.T(), s.testPostgres.DB)
@@ -458,7 +463,7 @@ func (s *TestClusterCVEOpsInPostgresTestSuite) SetupSuite() {
 	s.clusterDataStore = clusterDataStore
 
 	// Create cve manager
-	cveMatcher, err := matcher.NewCVEMatcher(clusterDataStore, s.mockNamespaces, s.mockImages)
+	cveMatcher, err := matcher.NewCVEMatcher(clusterDataStore, s.mockNamespaces, s.mockImages, s.mockImagesV2)
 	s.NoError(err)
 
 	s.cveManager = &orchestratorCVEManager{

diff --git a/central/cve/matcher/matcher.go b/central/cve/matcher/matcher.go
@@ -12,9 +12,11 @@ import (
 	clusterDataStore "github.com/stackrox/rox/central/cluster/datastore"
 	"github.com/stackrox/rox/central/cve/converter/utils"
 	imageDataStore "github.com/stackrox/rox/central/image/datastore"
+	imageV2DataStore "github.com/stackrox/rox/central/imagev2/datastore"
 	nsDataStore "github.com/stackrox/rox/central/namespace/datastore"
 	"github.com/stackrox/rox/generated/storage"
 	"github.com/stackrox/rox/pkg/errorhelpers"
+	"github.com/stackrox/rox/pkg/features"
 	"github.com/stackrox/rox/pkg/logging"
 	"github.com/stackrox/rox/pkg/search"
 	"github.com/stackrox/rox/pkg/set"
@@ -33,14 +35,16 @@ type CVEMatcher struct {
 	clusters   clusterDataStore.DataStore
 	namespaces nsDataStore.DataStore
 	images     imageDataStore.DataStore
+	imagesV2   imageV2DataStore.DataStore
 }
 
 // NewCVEMatcher returns new instance of CVEMatcher
-func NewCVEMatcher(clusters clusterDataStore.DataStore, namespaces nsDataStore.DataStore, images imageDataStore.DataStore) (*CVEMatcher, error) {
+func NewCVEMatcher(clusters clusterDataStore.DataStore, namespaces nsDataStore.DataStore, images imageDataStore.DataStore, imagesV2 imageV2DataStore.DataStore) (*CVEMatcher, error) {
 	return &CVEMatcher{
 		clusters:   clusters,
 		namespaces: namespaces,
 		images:     images,
+		imagesV2:   imagesV2,
 	}, nil
 }
 
@@ -183,12 +187,22 @@ func (m *CVEMatcher) getAllIstioComponentsVersionsInCluster(ctx context.Context,
 		AddExactMatches(search.ImageRegistry, "docker.io").
 		AddStrings(search.ImageRemote, "istio").
 		ProtoQuery()
-	images, err := m.images.SearchRawImages(ctx, q)
-	if err != nil {
-		return set, err
-	}
-	for _, image := range images {
-		set.Add(image.GetName().GetTag())
+	if features.FlattenImageData.Enabled() {
+		images, err := m.imagesV2.SearchRawImages(ctx, q)
+		if err != nil {
+			return set, err
+		}
+		for _, image := range images {
+			set.Add(image.GetName().GetTag())
+		}
+	} else {
+		images, err := m.images.SearchRawImages(ctx, q)
+		if err != nil {
+			return set, err
+		}
+		for _, image := range images {
+			set.Add(image.GetName().GetTag())
+		}
 	}
 	return set, nil
 }

diff --git a/central/cve/matcher/matcher_test.go b/central/cve/matcher/matcher_test.go
@@ -7,8 +7,10 @@ import (
 	"github.com/facebookincubator/nvdtools/cvefeed/nvd/schema"
 	mockClusterDataStore "github.com/stackrox/rox/central/cluster/datastore/mocks"
 	mockImagesDataStore "github.com/stackrox/rox/central/image/datastore/mocks"
+	mockImageV2DataStore "github.com/stackrox/rox/central/imagev2/datastore/mocks"
 	mockNamespaceDataStore "github.com/stackrox/rox/central/namespace/datastore/mocks"
 	"github.com/stackrox/rox/generated/storage"
+	"github.com/stackrox/rox/pkg/features"
 	"github.com/stackrox/rox/pkg/sac"
 	"github.com/stackrox/rox/pkg/sac/resources"
 	"github.com/stackrox/rox/pkg/search"
@@ -30,6 +32,7 @@ type cveMatcherTestSuite struct {
 	clusters   *mockClusterDataStore.MockDataStore
 	namespaces *mockNamespaceDataStore.MockDataStore
 	images     *mockImagesDataStore.MockDataStore
+	imagesV2   *mockImageV2DataStore.MockDataStore
 
 	mockCtrl *gomock.Controller
 }
@@ -48,9 +51,10 @@ func (s *cveMatcherTestSuite) SetupTest() {
 	s.clusters = mockClusterDataStore.NewMockDataStore(s.mockCtrl)
 	s.namespaces = mockNamespaceDataStore.NewMockDataStore(s.mockCtrl)
 	s.images = mockImagesDataStore.NewMockDataStore(s.mockCtrl)
+	s.imagesV2 = mockImageV2DataStore.NewMockDataStore(s.mockCtrl)
 
 	var err error
-	s.cveMatcher, err = NewCVEMatcher(s.clusters, s.namespaces, s.images)
+	s.cveMatcher, err = NewCVEMatcher(s.clusters, s.namespaces, s.images, s.imagesV2)
 	s.Require().NoError(err)
 }
 
@@ -746,7 +750,17 @@ func (s *cveMatcherTestSuite) TestIstioCVEImpactsCluster() {
 
 	s.clusters.EXPECT().GetClusters(gomock.Any()).Return(clusters, nil).AnyTimes()
 	s.namespaces.EXPECT().Search(gomock.Any(), gomock.Any()).Return(namespaces, nil).AnyTimes()
-	s.images.EXPECT().SearchRawImages(gomock.Any(), gomock.Any()).Return(images, nil).AnyTimes()
+
+	// Matcher uses images or imagesV2 depending on FlattenImageData.
+	imagesV2 := make([]*storage.ImageV2, len(images))
+	for i, img := range images {
+		imagesV2[i] = &storage.ImageV2{Id: img.GetId(), Name: img.GetName()}
+	}
+	if features.FlattenImageData.Enabled() {
+		s.imagesV2.EXPECT().SearchRawImages(gomock.Any(), gomock.Any()).Return(imagesV2, nil).AnyTimes()
+	} else {
+		s.images.EXPECT().SearchRawImages(gomock.Any(), gomock.Any()).Return(images, nil).AnyTimes()
+	}
 
 	ok, err := s.cveMatcher.isIstioControlPlaneRunning(context.Background())
 	s.Nil(err)

diff --git a/central/cve/matcher/singleton.go b/central/cve/matcher/singleton.go
@@ -3,6 +3,7 @@ package matcher
 import (
 	clusterDataStore "github.com/stackrox/rox/central/cluster/datastore"
 	imageDataStore "github.com/stackrox/rox/central/image/datastore"
+	imageV2DataStore "github.com/stackrox/rox/central/imagev2/datastore"
 	nsDataStore "github.com/stackrox/rox/central/namespace/datastore"
 	"github.com/stackrox/rox/pkg/sync"
 	"github.com/stackrox/rox/pkg/utils"
@@ -15,7 +16,7 @@ var (
 
 func initialize() {
 	var err error
-	cveMatcher, err = NewCVEMatcher(clusterDataStore.Singleton(), nsDataStore.Singleton(), imageDataStore.Singleton())
+	cveMatcher, err = NewCVEMatcher(clusterDataStore.Singleton(), nsDataStore.Singleton(), imageDataStore.Singleton(), imageV2DataStore.Singleton())
 	utils.CrashOnError(err)
 }
 

diff --git a/central/graphql/resolvers/vulnerabilities_v1_test.go b/central/graphql/resolvers/vulnerabilities_v1_test.go
@@ -9,6 +9,7 @@ import (
 	"github.com/stackrox/rox/central/cve/converter/utils"
 	"github.com/stackrox/rox/central/cve/matcher"
 	imageMocks "github.com/stackrox/rox/central/image/datastore/mocks"
+	imageV2Mocks "github.com/stackrox/rox/central/imagev2/datastore/mocks"
 	nsMocks "github.com/stackrox/rox/central/namespace/datastore/mocks"
 	"github.com/stackrox/rox/generated/storage"
 	"github.com/stretchr/testify/assert"
@@ -71,7 +72,8 @@ func TestK8sCVEEnvImpact(t *testing.T) {
 	clusterDataStore := clusterMocks.NewMockDataStore(ctrl)
 	nsDataStore := nsMocks.NewMockDataStore(ctrl)
 	imageDataStore := imageMocks.NewMockDataStore(ctrl)
-	cveMatcher, err := matcher.NewCVEMatcher(clusterDataStore, nsDataStore, imageDataStore)
+	imageV2DataStore := imageV2Mocks.NewMockDataStore(ctrl)
+	cveMatcher, err := matcher.NewCVEMatcher(clusterDataStore, nsDataStore, imageDataStore, imageV2DataStore)
 	require.NoError(t, err)
 
 	clusterDataStore.EXPECT().GetClusters(gomock.Any()).Return(clusters, nil).AnyTimes()

@@ -13,6 +13,7 @@ import (
 	"github.com/stackrox/rox/central/vulnmgmt/vulnerabilityrequest/utils"
 	v1 "github.com/stackrox/rox/generated/api/v1"
 	"github.com/stackrox/rox/generated/storage"
+	"github.com/stackrox/rox/pkg/features"
 	"github.com/stackrox/rox/pkg/sac"
 	"github.com/stackrox/rox/pkg/sac/resources"
 )
@@ -45,6 +46,9 @@ func (m *queryManagerImpl) ImageCount(ctx context.Context, requestID string, que
 	if err != nil {
 		return 0, err
 	}
+	if features.FlattenImageData.Enabled() {
+		return m.imageV2s.Count(ctx, query)
+	}
 	return m.images.Count(ctx, query)
 }
 

diff --git a/pkg/images/types/type.go b/pkg/images/types/type.go
@@ -63,6 +63,7 @@ func ConvertImageToListImage(i *storage.Image) *storage.ListImage {
 		Name:        i.GetName().GetFullName(),
 		Created:     i.GetMetadata().GetV1().GetCreated(),
 		LastUpdated: i.GetLastUpdated(),
+		Priority:    i.GetPriority(),
 	}
 	if i.GetSetComponents() != nil {
 		listImage.SetComponents = &storage.ListImage_Components{

diff --git a/pkg/images/utils/convert_utils.go b/pkg/images/utils/convert_utils.go
@@ -42,6 +42,7 @@ func ConvertToV1(image *storage.ImageV2, names ...*storage.ImageName) *storage.I
 		},
 		Signature:                 image.GetSignature(),
 		SignatureVerificationData: image.GetSignatureVerificationData(),
+		BaseImageInfo:             image.GetBaseImageInfo(),
 	}
 }
 
@@ -87,6 +88,7 @@ func ConvertToV2(image *storage.Image) *storage.ImageV2 {
 		TopCvss:                   image.GetTopCvss(),
 		SignatureVerificationData: image.GetSignatureVerificationData(),
 		Signature:                 image.GetSignature(),
+		BaseImageInfo:             image.GetBaseImageInfo(),
 	}
 	FillScanStatsV2(ret)
 	return ret