Different result for VEX between SBOM and image scanning #10467

AugustusKling · 2026-04-01T08:45:34Z

AugustusKling
Apr 1, 2026

Description

I try to use a VEX file to exclude findings. This works when scanning a Docker image but not when producing an SBOM and then scanning the SBOM. This difference is there when the VEX contains a statement with subcomponents.

Desired Behavior

No difference in output between scanning an image vs producing an SBOM from the image and then scanning the SBOM.

Actual Behavior

Statement in VEX file is ignored when scanning SBOM.

Reproduction Steps

1. Create SBOM from image: `trivy image --format cyclonedx --output debian11.sbom.cdx debian@sha256:943d97fa707482c24e1bc2bdd0b0adc45f75eb345c61dc4272c4157f9a2cc9cc`
2. Scan image and observe 136 vulnerability findings: `trivy image debian@sha256:943d97fa707482c24e1bc2bdd0b0adc45f75eb345c61dc4272c4157f9a2cc9cc --vex classifications-subcomponent.vex.json`
3. Scan SBOM and observe 137 vulnerability findings: `trivy sbom debian11.sbom.cdx --vex classifications-subcomponent.vex.json`

Content of `classifications-subcomponent.vex.json`:

{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "https://some.sample/classifications.vex.json",
  "author": "Unknown Author",
  "timestamp": "2026-04-01T00:00:00Z",
  "version": 1,
  "statements": [
    {
      "vulnerability": {
        "name": "CVE-2011-3374"
      },
      "timestamp": "2026-04-01T00:00:00Z",
      "products": [
        {
          "@id": "pkg:oci/debian@sha256%3A943d97fa707482c24e1bc2bdd0b0adc45f75eb345c61dc4272c4157f9a2cc9cc?arch=amd64&repository_url=index.docker.io%2Flibrary%2Fdebian",
          "subcomponents": [
            { "@id": "pkg:deb/debian/apt@2.2.4?arch=amd64&distro=debian-11.11" }
          ]
        }
      ],
      "status": "not_affected",
      "justification": "inline_mitigations_already_exist"
    }
  ]
}

Target

Container Image

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

`trivy sbom debian11.sbom.cdx --vex classifications-subcomponent.vex.json --debug`
2026-04-01T10:40:24+02:00       DEBUG   No plugins loaded
2026-04-01T10:40:24+02:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2026-04-01T10:40:24+02:00       DEBUG   Cache dir       dir="C:\\Users\\username\\AppData\\Local\\trivy"
2026-04-01T10:40:24+02:00       DEBUG   Cache dir       dir="C:\\Users\\username\\AppData\\Local\\trivy"
2026-04-01T10:40:24+02:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2026-04-01T10:40:24+02:00       DEBUG   Ignore statuses statuses=[]
2026-04-01T10:40:24+02:00       DEBUG   DB update was skipped because the local DB is the latest
2026-04-01T10:40:24+02:00       DEBUG   DB info schema=2 updated_at=2026-03-31T12:46:09.209041749Z next_update=2026-04-01T12:46:09.209041228Z downloaded_at=2026-03-31T13:36:54.9314138Z
2026-04-01T10:40:24+02:00       DEBUG   [pkg] Package types     types=[os library]
2026-04-01T10:40:24+02:00       DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2026-04-01T10:40:24+02:00       INFO    [vuln] Vulnerability scanning is enabled
2026-04-01T10:40:24+02:00       DEBUG   [notification] Running version check
2026-04-01T10:40:24+02:00       DEBUG   Initializing scan cache...      type="memory"
2026-04-01T10:40:24+02:00       INFO    Detected SBOM format    format="cyclonedx-json"
2026-04-01T10:40:24+02:00       DEBUG   Unmarshalling CycloneDX JSON...
2026-04-01T10:40:24+02:00       DEBUG   [sbom] Skipping a component with an unsupported type    file_path="debian11.sbom.cdx" name="debian@sha256:943d97fa707482c24e1bc2bdd0b0adc45f75eb345c61dc4272c4157f9a2cc9cc" version="" type="oci"
2026-04-01T10:40:24+02:00       INFO    Detected OS     family="debian" version="11.11"
2026-04-01T10:40:24+02:00       INFO    [debian] Detecting vulnerabilities...   os_version="11" pkg_num=96
2026-04-01T10:40:24+02:00       INFO    Number of language-specific files       num=0
2026-04-01T10:40:24+02:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/docs/v0.69/guide/scanner/vulnerability#severity-selection for details.
2026-04-01T10:40:24+02:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"

Operating System

Windows 11 Enterprise

Version

Version: 0.69.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2026-03-31 12:46:09.209041749 +0000 UTC
  NextUpdate: 2026-04-01 12:46:09.209041228 +0000 UTC
  DownloadedAt: 2026-03-31 13:36:54.9314138 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2026-03-19 01:17:54.395813642 +0000 UTC
  NextUpdate: 2026-03-22 01:17:54.39581332 +0000 UTC
  DownloadedAt: 2026-03-31 15:01:58.1966501 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Different result for VEX between SBOM and image scanning #10467

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 0 comments

Select a reply

Uh oh!

Different result for VEX between SBOM and image scanning #10467

Uh oh!

Uh oh!

AugustusKling Apr 1, 2026

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 0 comments

AugustusKling
Apr 1, 2026