False-positives in VEX files being wrongly filtered

[macedogm]

Description

When using a VEX report on an image, some CVEs can be wrongly filtered out. If a JSON output is used, it will contain an empty and invalid ExperimentalModifiedFindings[]:

      "ExperimentalModifiedFindings": [
        {
          "Type": "",
          "Status": "",
          "Statement": "",
          "Source": "",
          "Finding": null
        },
        {
          "Type": "",
          "Status": "",
          "Statement": "",
          "Source": "",
          "Finding": null
        }
      ]

The filtered out CVEs are also wrongly missing from the default's table output.

Desired Behavior

CVEs that are not inside a VEX report must not be filtered out.

Actual Behavior

CVEs that are not inside a VEX are being suppressed and filtered out.

Reproduction Steps

1. Scan the image `registry.suse.com/suse/sles/15.7/libguestfs-tools:1.5.2-150700.3.5.2` with `trivy i registry.suse.com/suse/sles/15.7/libguestfs-tools:1.5.2-150700.3.5.2`.
2. See that it will output 10 vulnerabilities of type `sles`.
3. Download the following VEX report - https://github.com/rancher/vexhub/blob/ea1fa0711144f1e898b25b080bd4419ea91694ca/pkg/oci/registry.suse.com/suse/sles/15.7/libguestfs-tools/scan.openvex.json.
4. Scan the same image using the VEX report - `trivy i --vex scan.openvex.json registry.suse.com/suse/sles/15.7/libguestfs-tools:1.5.2-150700.3.5.2`. See that the output will only list 8 vulnerabilities of type `sles`.
5. Try to see the suppressed vulnerabilities, but none will be listed - `trivy i --vex scan.openvex.json --show-suppressed registry.suse.com/suse/sles/15.7/libguestfs-tools:1.5.2-150700.3.5.2`.
6. Generate a JSON report with the suppressed vulnerabilities - `trivy i -f json -o output.json --vex scan.openvex.json --show-suppressed registry.suse.com/suse/sles/15.7/libguestfs-tools:1.5.2-150700.3.5.2`. See that it will generate an invalid `ExperimentalModifiedFindings` object with 2 `null` findings.
7. The 2 wrongly suppressed vulnerabilities are `libpython3_6m1_0 - SUSE-SU-2025:02778-1` and `python3-base - SUSE-SU-2025:02778-1`, but they are not inside the VEX report that VEXed only `SUSE-SU-2025:02536-1` for `boost-license1_66_0`, `libboost_system1_66_0` and `libboost_thread1_66_0`.
8. Apparently the faulty logic is in https://github.com/aquasecurity/trivy/blob/4a2be6b48c19eee5692a36245e0da579ef45f3c6/pkg/vex/vex.go#L168-L171.
9. It's solved by changing the logic to check for a `nil Finding`:

if !reachRoot(c, bom.Components(), bom.Parents(), notAffectedFn) && modified.Finding != nil {
  result.ModifiedFindings = append(result.ModifiedFindings, modified)
  return false
}

10. I don't fully understand the logic in `func reachRoot()`, so the issue might be actually there.

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

> trivy -d i -f json -o output.json --vex scan.openvex.json --show-suppressed registry.suse.com/suse/sles/15.7/libguestfs-tools:1.5.2-150700.3.5.2
2025-09-09T10:21:16-03:00	DEBUG	No plugins loaded
2025-09-09T10:21:16-03:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-09-09T10:21:16-03:00	DEBUG	Cache dir	dir="/root/.cache/trivy"
2025-09-09T10:21:16-03:00	DEBUG	Cache dir	dir="/root/.cache/trivy"
2025-09-09T10:21:16-03:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-09-09T10:21:16-03:00	DEBUG	Ignore statuses	statuses=[]
2025-09-09T10:21:16-03:00	DEBUG	DB update was skipped because the local DB is the latest
2025-09-09T10:21:16-03:00	DEBUG	DB info	schema=2 updated_at=2025-09-09T12:33:28.251478274Z next_update=2025-09-10T12:33:28.251477873Z downloaded_at=2025-09-09T13:05:26.09851351Z
2025-09-09T10:21:16-03:00	DEBUG	[pkg] Package types	types=[os library]
2025-09-09T10:21:16-03:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-09-09T10:21:16-03:00	INFO	[vuln] Vulnerability scanning is enabled
2025-09-09T10:21:16-03:00	INFO	[secret] Secret scanning is enabled
2025-09-09T10:21:16-03:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-09-09T10:21:16-03:00	INFO	[secret] Please see also https://trivy.dev/dev/docs/scanner/secret#recommendation for faster secret detection
2025-09-09T10:21:16-03:00	DEBUG	Initializing scan cache...	type="fs"
2025-09-09T10:21:16-03:00	DEBUG	[notification] Running version check
2025-09-09T10:21:17-03:00	DEBUG	[notification] Version check completed	latest_version="0.66.0"
2025-09-09T10:21:19-03:00	DEBUG	[image] Image found	image="registry.suse.com/suse/sles/15.7/libguestfs-tools:1.5.2-150700.3.5.2" source="remote"
2025-09-09T10:21:19-03:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-09-09T10:21:19-03:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-09-09T10:21:19-03:00	DEBUG	Created process-specific temp directory	path="/tmp/trivy-303915"
2025-09-09T10:21:20-03:00	DEBUG	[image] Detected image ID	image_id="sha256:a4c976022ae9fd2b0cbc09b3ce984b32eb0cd8ed86ee1b4c4b54e07bbd945b55"
2025-09-09T10:21:20-03:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:a22b0d7b670cbc862dc5dfb4ab514249f9e205dbb7b734f841d48be33dd465e3 sha256:0ff85bfd722efabc5a4005e68a33702fcf219e179848bda18a8dd7bea7fab3f3]
2025-09-09T10:21:20-03:00	DEBUG	[image] Detected base layers	diff_ids=[]
2025-09-09T10:21:20-03:00	INFO	Detected OS	family="sles" version="15.7"
2025-09-09T10:21:20-03:00	WARN	This OS version is not on the EOL list	family="sles" version="15.7"
2025-09-09T10:21:20-03:00	INFO	[sles] Detecting vulnerabilities...	os_version="15.7" pkg_num=317
2025-09-09T10:21:20-03:00	INFO	Number of language-specific files	num=0
2025-09-09T10:21:20-03:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/dev/docs/scanner/vulnerability#severity-selection for details.
2025-09-09T10:21:20-03:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-09-09T10:21:20-03:00	DEBUG	Cleaning up temp directory	path="/tmp/trivy-303915"

Operating System

openSUSE Tumbleweed-Slowroll

Version

Version: 0.66.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-09-09 00:34:00.085406542 +0000 UTC
  NextUpdate: 2025-09-10 00:34:00.085406202 +0000 UTC
  DownloadedAt: 2025-09-09 04:31:33.087181598 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[macedogm]

To complement, not even Trivy itself can properly parse the generated JSON report that has the invalid ExperimentalModifiedFindings[] generated in step 6.

By using the following test code:

package main

import (
        "encoding/json"
        "fmt"
        "os"

        trivyTypes "github.com/aquasecurity/trivy/pkg/types"
)

func main() {
        f, err := os.ReadFile("output.json")
        if err != nil {
                fmt.Println("failed to read file")
                fmt.Println(err)
                os.Exit(1)
        }
        var trivyReport trivyTypes.Report
        if err = json.Unmarshal(f, &trivyReport); err != nil {
                fmt.Println("failed to parse Trivy report")
                fmt.Println(err)
                os.Exit(1)
        }
}

And then running it on the report - go run main.go, it produces the following error:

failed to parse Trivy report
invalid Finding type: 
exit status 1

The error comes from

trivy/pkg/types/finding.go

Lines 84 to 86 in 4a2be6b

	if err != nil {
	return xerrors.Errorf("unable to unmarshal %q type: %w", m.Type, err)
	}

.

[DmitriyLewen]

Hello @macedogm
Thanks for your report!

This issue relates to the libpython3_6m1_0 and python3-base components.
These packages are related to each other, but they don’t relate to the root component.
Related issue: #9011.

That’s why Trivy builds an incorrect SBOM file and suppresses vulnerabilities for these packages.
#9007 fixes this problem.

I also created #9465 to fix a mistake in the VEX code.

Regards, Dmitriy

[macedogm]

@DmitriyLewen thanks a lot for the context and solutions. 👍🏻