From 6efe91391ef8fcd8a05689424bcf209e275162bc Mon Sep 17 00:00:00 2001 From: David Karlsson <35727626+dvdksn@users.noreply.github.com> Date: Thu, 27 Jun 2024 13:07:23 +0200 Subject: [PATCH 1/2] scout: add note about vex on filesystem Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com> --- content/scout/explore/exceptions.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/content/scout/explore/exceptions.md b/content/scout/explore/exceptions.md index 8eada1fd0c..7d3b6cec79 100644 --- a/content/scout/explore/exceptions.md +++ b/content/scout/explore/exceptions.md @@ -254,6 +254,20 @@ exception later. Image layers are immutable, so anything you put in the image's filesystem is there forever. Attaching the document as an [attestation](#attestation) provides better flexibility. +> **Note** +> +> VEX documents embedded in the image filesystem are not considered for images +> that have attestations. If your image has **any** attestations, Docker Scout +> will only look for exceptions in the attestations, and not in the image +> filesystem. +> +> If you want to use the VEX document embedded in the image filesystem, you +> must remove the attestation from the image. Note that provenance attestations +> may be added automatically for images. To ensure that no attestations are +> added to the image, you can explicitly disable both SBOM and provenance +> attestations using the `--provenance=false` and `--sbom=false` flags when +> building the image. + To embed a VEX document on the image filesystem, `COPY` the file into the image as part of the image build. The following example shows how to copy all VEX documents under `.vex/` in the build context, to `/var/lib/db` in the image. From 416f5aa37587c2d6f977f642e24d4531eb076e0e Mon Sep 17 00:00:00 2001 From: David Karlsson <35727626+dvdksn@users.noreply.github.com> Date: Thu, 27 Jun 2024 13:08:02 +0200 Subject: [PATCH 2/2] scout: call out that subcomponents is optional Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com> --- content/scout/explore/exceptions.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/content/scout/explore/exceptions.md b/content/scout/explore/exceptions.md index 7d3b6cec79..a824cb4103 100644 --- a/content/scout/explore/exceptions.md +++ b/content/scout/explore/exceptions.md @@ -76,6 +76,9 @@ Here's a description of the options in this example: specify the `--subcomponents` flag multiple times for a single `create` command. + You can also omit `--subcomponents`, in which case the VEX statement applies + to the entire image. + `--vuln` : ID of the CVE that the VEX statement addresses.