Not sure if anyone can help but I’m struggling with getting an OpenVEX attestation added to my image.

Background: I’m building a multi-architecture image and pushing it to an intermediate local registry (localhost:5000 running the registry:2 container). Within my container image is Python Pip which has a long standing CVE-2018-20225 which for us is a non-issue.

I’ve created a Vex JSON to mark the package as not affected an include it in my docker scout run:

docker scout cves --vex-location ./vex --only-vex-affected -e registry://localhost:5000/golden-images/python-dev:3.12

All works well, the scout CLI shows the vulnerable package but with the Vex exception and it exits with code 0.

As my image is intended to be a golden images to act as a base for others, I’d like to attach the vex to prevent false-alarms if the image is scanned further down the line. I tried adding the attestation as per the documentation:

docker scout attestation add \
  --file CVE-2018-20225.vex.json \
  --predicate-type https://openvex.dev/ns/v0.2.0 \
  localhost:5000/golden-images/python-dev:3.12

The command runs and I get the message that it was added successfully.

However, if I then run docker scout again doing just a normal cves scan, there is no Vex attestation and it exits with an error code as it should for critical vulnerabilities.

The only way I was able to get it to work was to copy the vex files to the /var/lib/db path in my image but then I have to disable SBOM and attestations which is no ideal.

I’ve manually pulled my images manifests, etc. and I cannot see the vex file in there so I’m at a complete loss as to why is says it was attached but apparently wasn’t?

Can anyone shed some light?

I haven’t used this feature yet, so I’m just checking if you could solve it. Maybe you could enable debug logs in the docker daemon and check if scout logs something.

I am also hitting the same problem. It seems that VEX files added as attestations are not taken into account, neither in the Exceptions tab on the Docker Scout dashboard, nor when running a docker scout cves command.

The output of the cves command shows ✓ VEX statements obtained from attestation , however in the listed CVEs these VEX statements from attestation are absolutely not taken into account. The VEX information in the listed CVEs is only seen, when I’m passing the very same VEX documents as local files with the vex-location parameter of the cves command.

As adding VEX files as attestation is a documented feature, I wonder why it is not working. Also the debug logs seem to not give any useful information. Do we need to wait, trigger some other process or add some configuration in order to make VEX statements obtained from attestation work on the Docker Scout dashboard or in the cves command?

Was someone able to make VEX attestations work?

btw. maybe these details could be a hint: we are using multi-arch images, our images have a provenance attestation, but the SBOM is not added as attestation, Docker scout scans for the libs by itself.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.