Not sure if anyone can help but I’m struggling with getting an OpenVEX attestation added to my image.
Background: I’m building a multi-architecture image and pushing it to an intermediate local registry (localhost:5000 running the registry:2 container). Within my container image is Python Pip which has a long standing CVE-2018-20225 which for us is a non-issue.
I’ve created a Vex JSON to mark the package as not affected an include it in my docker scout run:
docker scout cves --vex-location ./vex --only-vex-affected -e registry://localhost:5000/golden-images/python-dev:3.12
All works well, the scout CLI shows the vulnerable package but with the Vex exception and it exits with code 0.
As my image is intended to be a golden images to act as a base for others, I’d like to attach the vex to prevent false-alarms if the image is scanned further down the line. I tried adding the attestation as per the documentation:
docker scout attestation add \
--file CVE-2018-20225.vex.json \
--predicate-type https://openvex.dev/ns/v0.2.0 \
localhost:5000/golden-images/python-dev:3.12
The command runs and I get the message that it was added successfully.
However, if I then run docker scout again doing just a normal cves scan, there is no Vex attestation and it exits with an error code as it should for critical vulnerabilities.
The only way I was able to get it to work was to copy the vex files to the /var/lib/db
path in my image but then I have to disable SBOM and attestations which is no ideal.
I’ve manually pulled my images manifests, etc. and I cannot see the vex file in there so I’m at a complete loss as to why is says it was attached but apparently wasn’t?
Can anyone shed some light?