Irrelevant vulnerabilities in upstream image automatically cause non-compliance in our image

Summary

We have multiple images that use distroless/java-21 as their base image. There was CVE-2023-52425, a high severity issue for libexpat1 included in distroless/java-21. The status of this was set to "Distro Package" in VAT by IronBank, which is of course correct, and a patch in Debian is not available.

However, we confirmed internally that our application Develocity is not affected, the vulnerability cannot be exploited. Still our affected images show up as non-compliant, and there doesn't seem to be a way for us to set this upstream vulnerability as "Not vulnerable" in our case.

Steps to reproduce

Use a base image with an unpatched vulnerability (eg. distroless/java-21 currently), in an application that is confirmed to be not vulnerable.

What is the current bug behavior?

The application image gets flagged as non-compliant.

What is the expected correct behavior?

We have a way to enter a justification for such vulnerabilities as well.