Description

Adds a new RPC, GetRepositoryToCPEMapping, to the Indexer service that returns the Red Hat repository-to-CPE mapping used for RHEL package vulnerability matching. The matcher's ScanSBOM API will need this mapping to enrich RHEL packages with CPE information during SBOM vulnerability scanning.

The Indexer acts as a stateless proxy to the repository-to-CPE mapping file from Central, while the matcher caches the data locally with periodic background refresh. The GetRepositoryToCPEMapping supports conditional fetch via If-Modified-Since to minimize data transfer on refresh.

Alternatives

• Individual repository-to-cpe lookup: Frankly, this would be my long-term solution if we weren't planning on moving toward other indexing improvements (i.e., "slim index reports"), which is really my preferred solution here. This is a valid option, and we could prove whether it's better than sending the entire mapping over with performance testing, but the current changes seemed easier to implement at the time. We can revisit this during the Tech Preview implementation.
• repository-to-cpe mapping in Matcher: We'd need to have the same repository-to-cpe related configurations in the Matcher, which requires deployment configuration changes. Given that this is meant to be a somewhat temporary solution, I didn't see the benefit in that effort.
• SBOM parsing in the Indexer: Some of the SBOMs are already too large to send over the wire as-is. Sending that data between the Indexer and Matcher seemed like too much. The repository-to-cpe data is much smaller.
• Eager initialization in the Matcher: The updater could fetch the mapping on startup, but lazy initialization avoids unnecessary work for matchers that never use the repo-to-CPE data. Especially relevant, since not all (read: most) users won't use this feature initially, and I expect the implementation to change substantially over time.

PR stack:

• master
  • ROX-30569: Add SBOM Scanning REST API to Central #18484
    • 👉 ROX-32846: Add repository-to-CPE mapping API to indexer #18705
      • ROX-30570: Add ScanSBOM API to Scanner V4 #18716

User-facing documentation

• CHANGELOG.md is updated OR update is not needed
• documentation PR is created and is linked above OR is not needed

Testing and quality

• the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
• CI results are inspected

Automated testing

• added unit tests
• added e2e tests
• added regression tests
• added compatibility tests
• modified existing tests

How I validated my change

1. Deploy stackrox
2. Optionally set the ROX_SBOM_SCANNING feature flag:

   ❯ kubectl set env deploy/scanner-v4-indexer ROX_SBOM_SCANNING=true
   

3. Port forward Indexer

   ❯ kubectl port-forward svc/scanner-v4-indexer 8443
   

4. Hit the endpoint

   ❯ grpcurl -insecure \
       -import-path proto \
       -proto internalapi/scanner/v4/indexer_service.proto \
       localhost:8443 scanner.v4.Indexer/GetRepositoryToCPEMapping | head
   {
     "modified": true,
     "lastModified": "Mon, 13 Apr 2026 00:45:11 GMT",
     "mapping": {
       "3scale-amp-2-for-rhel-8-ppc64le-debug-rpms": {
         "cpes": [
           "cpe:/a:redhat:3scale:2.13::el8",
           "cpe:/a:redhat:3scale:2.14::el8",
           "cpe:/a:redhat:3scale:2.15::el8",
           "cpe:/a:redhat:3scale:2.16::el8",