Trivy ignores VEX document and misses ExperimentalModifiedFindings key in JSON output

[delsner]

Description

I'm trying to exclude findings from the gitlab/gitlab-runner image using a VEX document.

Here's the command I use:

trivy image --format=json --output=results.json --scanners=vuln --show-suppressed --vex=gitlab-runner.openvex.json gitlab/gitlab-runner:ubuntu-bleeding

Where the content of the VEX file is:

{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "https://openvex.dev/docs/public/vex-7044ebb8ba3b8bdd56d7c48a0f7d4924acf978bd643f3df2e22fdea26b9c315f",
  "author": "Unknown Author",
  "timestamp": "2025-04-28T07:48:07.927732+02:00",
  "version": 1,
  "statements": [
    {
      "vulnerability": {
        "name": "CVE-2025-22868"
      },
      "timestamp": "2025-04-28T07:48:07.927733+02:00",
      "products": [
        {
          "@id": "pkg:oci/gitlab/gitlab-runner:ubuntu-bleeding",
          "subcomponents": [
            {
              "@id": "pkg:golang/golang.org/x/[email protected]"
            }
          ]
        }
      ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_present"
    }
  ]
}

I also tried with specifying the version as sha256 digest instead of the tag :ubuntu-bleeding.

What am I doing wrong or is this a bug?

Desired Behavior

I expected the finding corresponding to the excluded CVE to be suppressed.
The JSON output file should contain a section ExperimentalModifiedFindings which lists the suppressed finding.
It has done so for other images before.

Actual Behavior

No ExperimentalModifiedFindings section in JSON and the finding is not excluded from the reported CVEs.

Reproduction Steps

1. Create VEX file

echo '{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-7044ebb8ba3b8bdd56d7c48a0f7d4924acf978bd643f3df2e22fdea26b9c315f",
"author": "Unknown Author",
"timestamp": "2025-04-28T07:48:07.927732+02:00",
"version": 1,
"statements": [
  {
    "vulnerability": {
      "name": "CVE-2025-22868"
    },
    "timestamp": "2025-04-28T07:48:07.927733+02:00",
    "products": [
      {
        "@id": "pkg:oci/gitlab/gitlab-runner:ubuntu-bleeding",
        "subcomponents": [
          {
            "@id": "pkg:golang/golang.org/x/[email protected]"
          }
        ]
      }
    ],
    "status": "not_affected",
    "justification": "vulnerable_code_not_present"
  }
]
}' > gitlab-runner.openvex.json

2. Run Trivy:

trivy image --format=json --output=results.json --scanners=vuln --show-suppressed --vex=gitlab-runner.openvex.json gitlab/gitlab-runner:ubuntu-bleeding

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

❯ trivy image --format=json --output=results.json --scanners=vuln --show-suppressed --vex=gitlab-runner.openvex.json gitlab/gitlab-runner:ubuntu-bleeding --debug
2025-09-29T12:48:19+02:00       DEBUG   No plugins loaded
2025-09-29T12:48:19+02:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-09-29T12:48:19+02:00       DEBUG   Cache dir       dir="/Users/user/Library/Caches/trivy"
2025-09-29T12:48:19+02:00       DEBUG   Cache dir       dir="/Users/user/Library/Caches/trivy"
2025-09-29T12:48:19+02:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-09-29T12:48:19+02:00       DEBUG   Ignore statuses statuses=[]
2025-09-29T12:48:19+02:00       DEBUG   DB update was skipped because the local DB is the latest
2025-09-29T12:48:19+02:00       DEBUG   DB info schema=2 updated_at=2025-09-29T06:32:29.75454268Z next_update=2025-09-30T06:32:29.75454233Z downloaded_at=2025-09-29T09:50:35.751061Z
2025-09-29T12:48:19+02:00       DEBUG   [pkg] Package types     types=[os library]
2025-09-29T12:48:19+02:00       DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-09-29T12:48:19+02:00       INFO    [vuln] Vulnerability scanning is enabled
2025-09-29T12:48:19+02:00       DEBUG   Initializing scan cache...      type="fs"
2025-09-29T12:48:19+02:00       DEBUG   [notification] Running version check
2025-09-29T12:48:20+02:00       DEBUG   [notification] Version check completed  latest_version="0.66.0"
2025-09-29T12:48:21+02:00       DEBUG   [image] Image found     image="gitlab/gitlab-runner:ubuntu-bleeding" source="remote"
2025-09-29T12:48:21+02:00       DEBUG   Created process-specific temp directory path="/var/folders/bm/9r03dhvx4tzbqvw2fzw9rzyr0000gn/T/trivy-8751"
2025-09-29T12:48:21+02:00       DEBUG   [image] Detected image ID       image_id="sha256:11a6a08e94b5549575137b2c5ed7a98855ec828e327e979d29604c5838d3c51e"
2025-09-29T12:48:21+02:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:9d592720ced4a7a4ddf16adef8a126e4c8c49f22114de769343320b37674321e sha256:eb52b80cf748eef9d5915e0606ff387ca28c4e1bab54ea87c8c91f6ca84a807f sha256:0b696873ca3d6dcc1757f9f88274aaedfc19092f18b01f5f5bb39049562b66e2 sha256:eb6e5da54b5a1ec5d55e0298e76ca6d07921cea40a011e9f411d4883dfe6b622 sha256:8c854cf77d589f55261e822e8eb30912280dbcf0247b69537e321f0185e70107]
2025-09-29T12:48:21+02:00       DEBUG   [image] Detected base layers    diff_ids=[sha256:9d592720ced4a7a4ddf16adef8a126e4c8c49f22114de769343320b37674321e sha256:eb52b80cf748eef9d5915e0606ff387ca28c4e1bab54ea87c8c91f6ca84a807f sha256:0b696873ca3d6dcc1757f9f88274aaedfc19092f18b01f5f5bb39049562b66e2]
2025-09-29T12:48:21+02:00       INFO    Detected OS     family="ubuntu" version="24.04"
2025-09-29T12:48:21+02:00       INFO    [ubuntu] Detecting vulnerabilities...   os_version="24.04" pkg_num=129
2025-09-29T12:48:21+02:00       INFO    Number of language-specific files       num=2
2025-09-29T12:48:21+02:00       INFO    [gobinary] Detecting vulnerabilities...
2025-09-29T12:48:21+02:00       DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="usr/bin/docker-machine"
2025-09-29T12:48:21+02:00       DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="usr/bin/gitlab-runner"
2025-09-29T12:48:21+02:00       DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="./helpers/runner_wrapper/api"
2025-09-29T12:48:21+02:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.66/docs/scanner/vulnerability#severity-selection for details.
2025-09-29T12:48:21+02:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-09-29T12:48:21+02:00       DEBUG   Cleaning up temp directory      path="/var/folders/bm/9r03dhvx4tzbqvw2fzw9rzyr0000gn/T/trivy-8751"

Operating System

macOS and Linux

Version

❯ trivy --version
Version: 0.66.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-09-29 06:32:29.75454268 +0000 UTC
  NextUpdate: 2025-09-30 06:32:29.75454233 +0000 UTC
  DownloadedAt: 2025-09-29 09:50:35.751061 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-07-29 00:57:42.993118293 +0000 UTC
  NextUpdate: 2025-08-01 00:57:42.993118123 +0000 UTC
  DownloadedAt: 2025-07-29 05:26:03.232903 +0000 UTC
Check Bundle:
  Digest: sha256:2bc834fc222789e26b85dc3e92e3333b488e16a9bfa192aa971cca25db884837
  DownloadedAt: 2025-03-26 13:55:46.896435 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @delsner

Trivy uses digest for oci artifacts (you can see this in SBOM report)
So you can't use tag in VEX file (see more about purl matching - https://trivy.dev/latest/docs/supply-chain/vex/file/#purl-matching)

But it works with digest:

➜ cat test.openvex.json 
{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "https://openvex.dev/docs/public/vex-7044ebb8ba3b8bdd56d7c48a0f7d4924acf978bd643f3df2e22fdea26b9c315f",
  "author": "Unknown Author",
  "timestamp": "2025-04-28T07:48:07.927732+02:00",
  "version": 1,
  "statements": [
    {
      "vulnerability": {
        "name": "CVE-2025-22868"
      },
      "timestamp": "2025-04-28T07:48:07.927733+02:00",
      "products": [
        {
          "@id": "pkg:oci/gitlab-runner@sha256%3A8fa48314b5662857f75e4338f9590fbd32d3eac4f52e0c43c313a2f104bd54f9",
          "subcomponents": [
            {
              "@id": "pkg:golang/golang.org/x/[email protected]"
            }
          ]
        }
      ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_present"
    }
  ]
}                                                                                                                                                                                                              
➜ trivy -q image gitlab/gitlab-runner:ubuntu-bleeding --vex test.openvex.json --show-suppressed

...

Suppressed Vulnerabilities (Total: 1)

┌─────────────────────┬────────────────┬──────────┬──────────────┬─────────────────────────────┬───────────────────┐
│       Library       │ Vulnerability  │ Severity │    Status    │          Statement          │      Source       │
├─────────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────────┼───────────────────┤
│ golang.org/x/oauth2 │ CVE-2025-22868 │ HIGH     │ not_affected │ vulnerable_code_not_present │ test.openvex.json │
└─────────────────────┴────────────────┴──────────┴──────────────┴─────────────────────────────┴───────────────────┘
...

Regards, Dmitriy

[DmitriyLewen]

Can you scan your images into CycloneDX format and send me?

[delsner]

Yes, here it is created via: trivy image --scanners vuln --format cyclonedx --output result.json ghcr.io/my-org/my-namespace/gitlab-runner:latest

result.json

[DmitriyLewen]

your root component (metadata.component) doesn't have purl.
That is why Trivy can't use your VEX.

[delsner]

Okay, good catch. Is it possible to create a purl for a locally built image? I'm guessing it's not possible yet: #9399

[DmitriyLewen]

hm...
You're right. Trivy currently doesn’t add a PURL for local images.
So you’ll need this PR: #9398.

Perhaps you can avoid using the root @id? Something like that:

"products": [
        {
          "@id": "pkg:golang/golang.org/x/[email protected]"
        }
      ],