bug(vex): Trivy skips the rule if we check the same parent from different paths. #9757
Description
Description
We fixed an issue where two (or more) dependencies could cyclically depend on each other, causing incorrect traversal and follow-up logic.
See #9465
flowchart LR
A --> B
B --> A
But there are cases where a leaf reach the same ancestor through multiple distinct paths: in such situations, we skip applying the parent-filtering rule for that already-visited ancestor (we’ve already evaluated it), so we do not filter the vulnerability.
Example
VEX file:
We have a VEX file with a not_affected CVE where:
- C is the component
- A is the subcomponent.
"products": [
{
"@id": "C",
"subcomponents": [
{
"@id": "A"
}
]
}Dep tree
And we have the following tree:
flowchart LR
A --> B
B --> C
C --> R
A --> D
D --> E
E --> C
A - leaf
A has 2 direct parents - B and D (different paths)
...
R is root.
Trivy logic
So we have multiple paths from A to R.
- We check A -> B -> C -> R path.
1.1. We check full path
1.2. We add B and C to the set of visited parents.
1.3. We mark this path as not_affected, because we found the component (C) and the subcomponent (A). - We check A -> D -> E -> C path.
2.1. We check A, D components
2.2. We check E component
2.2.1. We see that C (parent of E) already visited, so we mark this path as affected. This is incorrect.
So we should only check for infinite loops within a single path, not globally across all paths.