In general, we want to understand how to correlate the attributes of registry.redhat.io/openshift4/ose-console:v4.14.0-202405081840.p0.g2741f59.assembly.stream.el8 (taken from docker describe) to the exact vulnerabilities listed in this VEX file (https://access.redhat.com/security/data/csaf/v2/vex/2023/cve-2023-44487.json).
What are the steps involved? Should we use CPE matching for non-RPM images as well? If so, how?

In SECDATA-687, Justin mentioned a repository named odf4/rook-ceph-rhel8-operator, but we don’t understand how to relate it to the customer’s container we are scanning (registry.redhat.io/openshift4/ose-console:v4.14.0...). He also mentioned a container-name-repos-map.json that should be used for the mapping, but this is unclear to us as well.

Thank you!