Docker Scout cves with vex-location #207
Description
I have been attempting to bypass some vulnerabilities on the Microsoft SDK from mcr.microsoft.com/dotnet/sdk@8.0. I have created three documents, each with a statement targeting a separate vulnerability (CVE-2025-26646, CVE-2025-55247, CVE-2025-59375). Below is an example of one of those vex files.
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-3171d2fb0f688f96c42705c2716806445f662ae0683237a1064be86fa8379d97",
"author": "me@my.com",
"version": 1,
"statements": [
{
"vulnerability": {
"name": "CVE-2025-59375"
},
"products": [
{
"@id": "pkg:docker/mcr.microsoft.com/dotnet/sdk@8.0"
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path"
}
],
"timestamp": "2025-10-29T16:40:29Z"
}
I am running docker scout cves mcr.microsoft.com/dotnet/sdk:8.0 --vex-location "C:\repos\myrepo\dotnetsdk\8.0\vex\" --only-vex-affected . The results of the analyzed image still show the vulnerabilities and still report the 3 vulnerabilities I am trying to address across 5 files. I have attempted this with and without subcomponents.
0C 1H 0M 2L expat 2.5.0-1+deb12u2
pkg:deb/debian/expat@2.5.0-1%2Bdeb12u2?os_distro=bookworm&os_name=debian&os_version=12
x HIGH CVE-2025-59375
https://scout.docker.com/v/CVE-2025-59375
Affected range : >=2.5.0-1+deb12u2
Fixed version : not fixed
x LOW CVE-2024-28757
https://scout.docker.com/v/CVE-2024-28757
Affected range : >=2.5.0-1+deb12u2
Fixed version : not fixed
x LOW CVE-2023-52426
https://scout.docker.com/v/CVE-2023-52426
Affected range : >=2.5.0-1+deb12u2
Fixed version : not fixed
0C 1H 0M 0L Microsoft.Build.Tasks.Core 17.3.4
pkg:nuget/Microsoft.Build.Tasks.Core@17.3.4
x HIGH CVE-2025-26646 [External Control of File Name or Path]
https://scout.docker.com/v/CVE-2025-26646
Affected range : >=17.0.0
: <=17.8.3
Fixed version : 17.8.29
CVSS Score : 8.0
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
0C 1H 0M 0L Microsoft.Build.Tasks.Core 17.11.31
pkg:nuget/Microsoft.Build.Tasks.Core@17.11.31
x HIGH CVE-2025-55247 [Improper Link Resolution Before File Access ('Link Following')]
https://scout.docker.com/v/CVE-2025-55247
Affected range : >=17.11.0
: <=17.11.31
Fixed version : 17.11.48
CVSS Score : 7.3
CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
0C 1H 0M 0L Microsoft.Build.Utilities.Core 17.11.31
pkg:nuget/Microsoft.Build.Utilities.Core@17.11.31
x HIGH CVE-2025-55247 [Improper Link Resolution Before File Access ('Link Following')]
https://scout.docker.com/v/CVE-2025-55247
Affected range : >=17.11.0
: <=17.11.31
Fixed version : 17.11.48
CVSS Score : 7.3
CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
0C 1H 0M 0L Microsoft.Build 17.11.31
pkg:nuget/Microsoft.Build@17.11.31
x HIGH CVE-2025-55247 [Improper Link Resolution Before File Access ('Link Following')]
https://scout.docker.com/v/CVE-2025-55247
Affected range : >=17.11.0
: <=17.11.31
Fixed version : 17.11.48
CVSS Score : 7.3
CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
I know I must be missing something simple, but my troubleshooting has not unearthed the cause. I'm hoping someone from the community can help me.