Irrelevant vulnerabilities in upstream image automatically cause non-compliance in our image
Summary
We have multiple images that use distroless/java-21 as their base image. There was CVE-2023-52425, a high severity issue for libexpat1 included in distroless/java-21. The status of this was set to "Distro Package" in VAT by IronBank, which is of course correct, and a patch in Debian is not available.
However, we confirmed internally that our application Develocity is not affected, the vulnerability cannot be exploited. Still our affected images show up as non-compliant, and there doesn't seem to be a way for us to set this upstream vulnerability as "Not vulnerable" in our case.
Steps to reproduce
Use a base image with an unpatched vulnerability (eg. distroless/java-21 currently), in an application that is confirmed to be not vulnerable.
What is the current bug behavior?
The application image gets flagged as non-compliant.
What is the expected correct behavior?
We have a way to enter a justification for such vulnerabilities as well.