Scout not respecting newer statements with package subcomponents in a VEX file #199
Description
Per the VEX spec you are supposed to be able to have multiple statements for the same package within a VEX document. This allows you to keep a record of the changes that occurred over time as you managed the vulnerability.
Docker Scout does seem to respect newer statements for a product where the newer statement resolves the vulnerability.
Per the VEX spec you can also specify subcomponents that a vulnerability originates from.
Unfortunately, Docker Scout as of version 1.18.2 does not seem to respect newer statements if the statements in question have a subcomponent specified. Presumably Scout is not recognizing that the newer and older statements are for the same thing, even if the specified product and subcomponents are identical.
It's possible that it never has supported this and we didn't notice until the latest version--which is when Docker Scout started treating VEX documents with an under_investigation status as affected instead of not affected. This caused our old documents that had an under_investigation statement to all pop up again in the scan results, despite the fact that there is a newer statement.
Since the product and subcomponents for the statements are identical, the newer statement should be overriding the older statement.
Example
Working VEX with newer statement
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-cfdd29dc9a4a973474ca764a084f45a956010741f23a81524d808c7600c9f0c1",
"author": "your-org",
"timestamp": "2025-06-17T10:52:20.578625-06:00",
"version": 1,
"statements": [
{
"vulnerability": {
"name": "CVE-2022-46364"
},
"timestamp": "2024-11-27T08:19:56.668283-07:00",
"products": [
{
"@id": "pkg:docker/your-org/your-image?repository_url=ghcr.io"
}
],
"status": "under_investigation"
},
{
"vulnerability": {
"name": "CVE-2022-46364"
},
"products": [
{
"@id": "pkg:docker/your-org/your-image?repository_url=ghcr.io"
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Our code does not use the web portion of where this vulnerability is exposed"
}
]
}Not working version with subcomponents
Note that the specified subcomponents are identical between the two statements.
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-cfdd29dc9a4a973474ca764a084f45a956010741f23a81524d808c7600c9f0c1",
"author": "your-org",
"timestamp": "2025-06-17T10:52:20.578625-06:00",
"version": 1,
"statements": [
{
"vulnerability": {
"name": "CVE-2022-46364"
},
"timestamp": "2024-11-27T08:19:56.668283-07:00",
"products": [
{
"@id": "pkg:docker/your-org/your-image?repository_url=ghcr.io",
"subcomponents": [
{
"@id": "pkg:maven/org.apache.cxf/cxf-core@3.5.3"
}
]
}
],
"status": "under_investigation"
},
{
"vulnerability": {
"name": "CVE-2022-46364"
},
"products": [
{
"@id": "pkg:docker/your-org/your-image?repository_url=ghcr.io",
"subcomponents": [
{
"@id": "pkg:maven/org.apache.cxf/cxf-core@3.5.3"
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Our code does not use the web portion of where this vulnerability is exposed"
}
]
}