Hi team,

In order to make our vulnerabilities reports more accurate, we are fixing some logic in how we report vulnerabilities of Openshift non-RPM images.

I've understood that, for example, vulnerabilities which are reported on the image:

registry.redhat.io/openshift4/ose-console
with the tag: v4.15.0-202404030309.p0.geb9d956.assembly.stream.el8

should be only reported on images with the version v4.15.0-* (and not on v.4.14.0-* , v.4.13.0-* and so on)

When consuming Vex advisories, is there an exact way to know for which images does that logic apply? Or maybe we can say for sure that it applies to all images?
Another way to put it - Is there a deterministic way to know if an image is a non-RPM Openshift image? maybe based on the repoURL? If so I guess I can assume this logic on the image.

This is important because if there are non-RPM images to which this logic doesn't apply, it can cause us to miss affecting vulnerabilities, which will result in false-negatives in our product.

Thanks