Skip to content

bug(vex): VEX suppression no longer works in sbom mode starting from v0.67.0. #9593

New issue
New issue
Closed
Bug
#9604
#9597
Closed
bug(vex): VEX suppression no longer works in sbom mode starting from v0.67.0.#9593
Bug
#9604
#9597
Assignees
DmitriyLewen
Labels
kind/bugCategorizes issue or PR as related to a bug.scan/sbomIssues relating to SBOM
Milestone
v0.67.1
@DmitriyLewen

Description

@DmitriyLewen
DmitriyLewen
opened on Oct 6, 2025

Description

We added support for reusing scanned SBOM in #9439.
However, the reused BOM does not contain PkgIdentifier.UID, which causes an error here:

trivy/pkg/vex/vex.go

Lines 153 to 157 in 78f0d4a

c, ok := components[vuln.PkgIdentifier.UID]
if !ok {
log.Error("Component not found", log.String("uid", vuln.PkgIdentifier.UID))
return true // Should never reach here
} 

2025-10-05T18:46:11+02:00       ERROR   Component not found     uid="6926bf85598a26d3"
2025-10-05T18:46:11+02:00       ERROR   Component not found     uid="ed5af83f85d3f59f"
2025-10-05T18:46:11+02:00       ERROR   Component not found     uid="ed5af83f85d3f59f"
2025-10-05T18:46:11+02:00       ERROR   Component not found     uid="a520bd8e02f56b23"
2025-10-05T18:46:11+02:00       ERROR   Component not found     uid="6fc1805347faac92"
2025-10-05T18:46:11+02:00       ERROR   Component not found     uid="480c32763307f733"

Solution

Don't use reused BOM from VEX filtering.

Discussed in #9589

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.scan/sbomIssues relating to SBOM

Type

Bug

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions