missing CVE data

[mcandre]

Docker Scout treats images vulnerable to CVE-2025-11579 as having a clean bill of health with no CVE's.

Whereas Snyk Container identifies this, and other CVE's in the Snyk Vulnerability Database.

https://www.cve.org/CVERecord?id=CVE-2025-11579

https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMNWAPLESRARDECODEV2-13537508

Can we please sync more data between the Docker Scout and Snyk databases? As a developer, it's confusing to see mutually exclusive security reports. Very, very, very often, Docker Scout and Snyk report completely different sets of CVE's.

[cdupuis]

@mcandre, thanks for raising this. Scout has the same CVE as Snyk at https://scout.docker.com/vulnerabilities/id/CVE-2025-11579. Could you point me at an image where Scout is not reporting this CVE but Snyk is? Thanks.

[mcandre]

Interesting.

I saw the gap appear in several different places:

• go.mod
• go.sum
• vendor from go mod vendor
• Go executables built with rardecode dependencies
• fs://. with the above, such as a git repository clone

Docker Scout has ample SBOM files on both inages and hosts to trigger a finding, but it never does.

The image and host directory tree involved are enterprise projects.