Based on RedHat guidelines, “When you scan Red Hat products and components, Red Hat security data should be always used as the source of information. If the CVE id cannot be found in the Red Hat database and there is a chance that the Red Hat product/component is affected by the specific vulnerability, then it’s allowed to use other vulnerabilities’ databases like NVD or OSV.dev.”

The problem is that from customer perspective, they have gotten an image from RedHat and RedHat does not say it’s vulnerable to this CVE. However, when they scan it with Prisma they see this CVE. So to them this looks like a false positive. It’s also not actionable for the customer since they cannot change RedHat’s image and it’s not clear what version of the image will not have this CVE.

Can you please advise on what to do in this scenario?