STAC-25026: add //vexhub-main subdir to the tarball location URL#14
Open
LouisLotter wants to merge 1 commit into
Open
STAC-25026: add //vexhub-main subdir to the tarball location URL#14LouisLotter wants to merge 1 commit into
LouisLotter wants to merge 1 commit into
Conversation
GitHub branch tarballs extract into a vexhub-main/ top-level directory. Without the go-getter //vexhub-main subdirectory hint, trivy vex repo download leaves the repository nested (0.1/vexhub-main/...), which 'trivy --vex repo' cannot read (it needs index.json at the version root) while Grype-style document collection still finds the files. Result: VEX statements silently stop applying to Trivy scans, e.g. the jetty CVE-2024-6763 statement on 2026-06-12. Mirrors the rancher vexhub manifest, which already carries the suffix.
deontaljaard
approved these changes
Jun 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
GitHub branch tarballs extract into a
vexhub-main/top-level directory. Because the location URL invex-repository.jsonlacks the go-getter//vexhub-mainsubdirectory hint, every freshtrivy vex repo downloadof this hub lands nested (<cache>/stackvista/0.1/vexhub-main/...).Consequences:
trivy --vex reponeedsindex.jsonat the version root, so it silently ignores the whole hub — VEX statements stop applying to Trivy scans with no error.*openvex*.json) still finds the nested files, so the failure is asymmetric and easy to miss: findings resurface as Trivy-only rows.CVE-2024-6763not_affectedstatement (Add StackGraph Jetty HTTP VEX statement #9) stopped suppressing in the daily VEX-aware chart scan after a cache refresh, while Grype stayed suppressed.The rancher vexhub manifest already carries the suffix; this aligns ours.
Verification
Served the edited manifest from a local
.well-known/vex-repository.jsonendpoint and rantrivy vex repo download stackvistaagainst a scratch cache — the download fetches the realmain.tar.gz//vexhub-mainproduction URL:Also verified statement efficacy with a healthy layout:
trivy --vex repoonquay.io/stackstate/hadoop:3.4.3-so6reportsCVE-2024-67638× without VEX, 0× with.Rollout
No consumer action needed: the location URL is part of trivy's cache ETag key, so the next
trivy vex repo downloadafter merge treats it as a new location and re-downloads cleanly. Pre-existing nested residue in old caches is harmless onceindex.jsonexists at the version root.Ref: STAC-25026 (resolution comment has the full incident analysis).
🤖 Generated with Claude Code