When using container image vulnerability scanners like Trivy, a large number of vulnerabilities may be detected. However, not all of them necessarily require an action. This is because not all libraries or command-line tools included in the container image are actually utilized. For example, the `python:3.12.4` image includes a `git` binary with the vulnerability CVE-2024-32002. This vulnerability does not need an immediate action if it is known that the Python application being run does not execute `git` commands. VEX (Vulnerability-Exploitability eXchange) formats such as OpenVEX can be used to suppress such false alarms. However, VEX is still not widely adopted due to the difficulty of manual analysis and classification of vulnerabilities. This presentation introduces VexLLM, a tool that helps writing VEX by leveraging LLMs. VexLLM is available as a plugin for Trivy. GitHub: https://github.com/AkihiroSuda/vexllm https://kccncjpn2025.sched.com/event/1x70c

1. VexLLM: Silence Negligible CVE Alerts using LLM
Akihiro Suda (NTT)
akihiro.suda.cz@hco.ntt.co.jp
KubeCon Japan (2025-06-16)
https://github.com/AkihiroSuda/vexllm

2. • Container image scanners such as Trivy
produce an extreme amount of vuln alerts
• But you do NOT need to care all of them
– You don’t actually use all the command line tools in the image
– You don’t actually use all the functions of all the libraries in the image
• Only 3% of vulns are actually exploitable [1] [2]
2
Background: too many vuln alerts

3. • Example: python:3.12.4 image contains a git binary with
CVE-2024-32002 (9.0 CRITICAL)
– A vuln about git submodules and symbolic links
– No need to care, if you are sure that you won’t run git in this image
– Even if you run git, if the target repository is hard-coded, the
likelihood of compromise isn’t necessarily high
– No need to panic just because the CVSSv3 score is 9.0
3
Background: too many vuln alerts

4. • VEX: Vulnerability-Exploitability exChange
– List of unexploitable vulnerabilities
– Useful for suppressing false alerts
• Several specifications
– e.g., OpenVEX, CycloneDX, SPDX, CSAF
– .trivyignore file can be also regarded as the simplest form of VEX
(in the broadest sense)
• Maintaining a VEX file manually is quite cumbersome
when you have hundreds or thousands of alerts
4
VEX can suppress false alerts

5. • https://github.com/AkihiroSuda/vexllm
• Let an LLM generate a draft of a VEX
• Hints can be provided via CLI arguments
5
VexLLM
vexllm generate python.json .trivyignore
--hint-not-server
--hint-compromise-on-availability
--hint-used-commands=python3
--hint-unused-commands=git,wget,curl,apt,apt-get

6. • https://github.com/AkihiroSuda/vexllm
• Let an LLM generate a draft of a VEX
• Hints can be provided via CLI arguments
6
VexLLM
vexllm generate python.json .trivyignore
--hint-not-server
--hint-compromise-on-availability
--hint-used-commands=python3
--hint-unused-commands=git,wget,curl,apt,apt-get
Input (Trivy’s JSON) Output
Not a server program
Service availability
may matter less
than information
leakage and
tampering
100% sure used commands
100% sure unused ones

7. 7
Example output from LLM (python:3.12.4)
{
"vulnId": "CVE-2024-32002",
"exploitable": false,
"confidence": 1.0,
"reason": "This vulnerability is negligible because
the affected command 'git' is explicitly marked as
unused in the context of this container image. Since the
container does not utilize git, any vulnerabilities
associated with it cannot be exploited."
}
High/Critical alerts: 549 → 1

8. • No constant output
• Many false positives, as well as false negatives
• Needs to be reviewed by humans
8
Don’t trust LLM too much

9. • LangChainGo is used as an abstraction library for several LLMs
(GPT, Gemini, Claude, Ollama, …)
• Ollama works with several local LLMs, including Open Source ones
– Mistral (Apache 2.0), Phi (MIT), Qwen (Apache 2.0), …
– 10B-class models work well even on a recent laptop
• VexLLM parses JSON outputs from LLMs
– Hard to enforce a JSON schema by prompt engineering,
especially for local LLMs
– Tokens that violate the schema are rejected on the GGML level
– LangChainGo needs to be patched (PR #1302)
9
Implementation details

10. • Quantitative evaluation of false positives and false negatives
• More tight integration with the Trivy CLI
• Allow maintaining hint files on VEX Hub repositories
• Promote adoption in various OSS communities
10
TODO

11. • Not every vuln is a threat for you
• LLM can generate a draft of the negligible vuln list for you
• The output still has to be reviewed by humans
• Tool: https://github.com/AkihiroSuda/vexllm
11
Wrap-up