File: content/manuals/dhi/core-concepts/vex.md
Issue
The VEX status reference section states "DHI uses three of the four OpenVEX status values" but only lists three values in the table:
| Status |
Meaning |
not_affected |
The CVE was reported against a package in the image, but Docker has assessed it is not exploitable as shipped |
under_investigation |
Docker is aware of the CVE and is actively evaluating whether it affects the image |
affected |
Docker has confirmed the CVE is exploitable in the image and a fix is not yet available |
The document then has a separate section titled "Why DHI does not use fixed" which explains the fourth status value.
Why this matters
Readers familiar with the OpenVEX specification expect to see all four standard status values documented before learning which ones DHI uses. The current structure:
- Claims to list "three of the four" values but doesn't show what the fourth one is
- Makes readers infer that
fixed is the missing fourth value rather than stating it explicitly
- Creates unnecessary confusion about what the complete set of OpenVEX status values includes
A reader trying to understand the full OpenVEX status model and how DHI uses it has to piece together information from two separate sections.
Suggested fix
Add the fixed status to the reference table with a note indicating DHI doesn't use it, then reference the explanation below. For example:
## VEX status reference
Each VEX statement includes a `status` field that records Docker's
exploitability assessment for a given CVE and image. OpenVEX defines four status values. DHI uses three of them:
| Status | Meaning | Used by DHI |
|---|---|---|
| `not_affected` | The CVE was reported against a package in the image, but Docker has assessed it is not exploitable as shipped | Yes |
| `under_investigation` | Docker is aware of the CVE and is actively evaluating whether it affects the image | Yes |
| `affected` | Docker has confirmed the CVE is exploitable in the image and a fix is not yet available | Yes |
| `fixed` | The vulnerability has been remediated in this version | No (see below) |
Then keep the existing "Why DHI does not use fixed" section as the explanation.
Found by nightly documentation quality scanner
File:
content/manuals/dhi/core-concepts/vex.mdIssue
The VEX status reference section states "DHI uses three of the four OpenVEX status values" but only lists three values in the table:
The document then has a separate section titled "Why DHI does not use
fixed" which explains the fourth status value.Why this matters
Readers familiar with the OpenVEX specification expect to see all four standard status values documented before learning which ones DHI uses. The current structure:
fixedis the missing fourth value rather than stating it explicitlyA reader trying to understand the full OpenVEX status model and how DHI uses it has to piece together information from two separate sections.
Suggested fix
Add the
fixedstatus to the reference table with a note indicating DHI doesn't use it, then reference the explanation below. For example:Then keep the existing "Why DHI does not use
fixed" section as the explanation.Found by nightly documentation quality scanner