I am curious about how RedHat thinks about CVEs in OpenShift. We run Trivy scans (https://trivy.dev/latest/) on all of our container images; the set of container images that make up OpenShift 4.18.24 (the version we are currently running) plus the relevant OLM packages contain about 32,000 CVEs. Most or all of these CVEs are due to vulnerabilities in base images that are not necessarily exploitable.

I would like to know more about how RedHat thinks about these CVEs. To start:

1) Does RedHat offer a canonical list of CVEs in OpenShift and OLM packages that _are_ exploitable? Does RedHat offer VEX files that we could consume in our vulnerability scanning software?
2) Can I find public guidance on why a CVE is not exploitable for an arbitrary CVE in an OpenShift product?
3) What efforts does RedHat have to decrease the number of CVEs in OpenShift and OLM products over time?

Describe the impact to you or the business

Reputational risk - having 30,000 CVEs show up in vulnerability scans we deliver to customers is hard to justify.