vex: only check vendor_fix remediations

[crozzy]

RHSA links were being lost for vulnerabilities where the productID had multiple remediations and the last one (without a url was winning). This change modifies populateRemediations to only consider vendor_fix remediations.

[dcaravel]

Adding the fragment to links breaks existing deduping logic in stackrox

Keeping the fragment in links would require a stackrox re-work and a v3 vuln bundle to not introduce 'duplicate' vulns into existing deployments.

Given that fragments can appear naturally in URLs, a client may not be able to reliably extract the product ID without making assumptions (ie: product ID is a fragment appended to links for the RH VEX domain+path, which will need to be updated anytime that changes)

Is the placement of the product ID worth a revisit? perhaps a dedicated field or general metadata? Making the product ID available to clients in a relaible way could be a step towards making results explainable.

[crozzy]

Adding the fragment to links breaks existing deduping logic in stackrox

Keeping the fragment in links would require a stackrox re-work and a v3 vuln bundle to not introduce 'duplicate' vulns into existing deployments.

Given that fragments can appear naturally in URLs, a client may not be able to reliably extract the product ID without making assumptions (ie: product ID is a fragment appended to links for the RH VEX domain+path, which will need to be updated anytime that changes)

Is the placement of the product ID worth a revisit? perhaps a dedicated field or general metadata? Making the product ID available to clients in a relaible way could be a step towards making results explainable.

@dcaravel I believe this subsequent PR should address these concerns: #1918

[crozzy]

/fast-forward

[github-actions]

Triggered from #1904 (comment) by @​crozzy.

Trying to fast forward main (5463b73) to fix-vex-link-bugs (8c73a7e).

Target branch (main):

commit 5463b737ba7fa9c02a56b503e0306fbd0132fc55 (HEAD -> main, origin/main)
Author: dependabot[bot] <dependabot[bot]@users.noreply.github.com>
Date:   Fri Jun 12 18:15:08 2026 +0000

    chore(deps): bump the golang-x group across 1 directory with 2 updates
    
    Bumps the golang-x group with 2 updates in the / directory: [golang.org/x/net](https://github.com/golang/net) and [golang.org/x/tools](https://github.com/golang/tools).
    
    
    Updates `golang.org/x/net` from 0.55.0 to 0.56.0
    - [Commits](https://github.com/golang/net/compare/v0.55.0...v0.56.0)
    
    Updates `golang.org/x/tools` from 0.45.0 to 0.46.0
    - [Release notes](https://github.com/golang/tools/releases)
    - [Commits](https://github.com/golang/tools/compare/v0.45.0...v0.46.0)
    
    ---
    updated-dependencies:
    - dependency-name: golang.org/x/net
      dependency-version: 0.56.0
      dependency-type: direct:production
      update-type: version-update:semver-minor
      dependency-group: golang-x
    - dependency-name: golang.org/x/tools
      dependency-version: 0.46.0
      dependency-type: direct:production
      update-type: version-update:semver-minor
      dependency-group: golang-x
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>

Pull request (fix-vex-link-bugs):

commit 8c73a7e20d31c1eb5293a0e3fc8344b176e6172b (pull_request/fix-vex-link-bugs)
Author: Joseph Crosland <jcroslan@redhat.com>
Date:   Wed Jun 3 08:40:27 2026 -0700

    vex: only check vendor_fix remediations
    
    RHSA links were being lost for vulnerabilities where the productID had
    multiple remediations and the last one (without a `url` was winning).
    This change modifies populateRemediations to only consider `vendor_fix`
    remediations.
    
    Signed-off-by: crozzy <joseph.crosland@gmail.com>

Fast forwarding main (5463b73) to fix-vex-link-bugs (8c73a7e).

$ git push origin 8c73a7e20d31c1eb5293a0e3fc8344b176e6172b:main
remote: error: GH013: Repository rule violations found for refs/heads/main.        
remote: Review all repository rules at https://github.com/quay/claircore/rules?ref=refs%2Fheads%2Fmain        
remote: 
remote: - Waiting on code owner review from quay/clair.        
remote: 
To https://github.com/quay/claircore.git
 ! [remote rejected]   8c73a7e20d31c1eb5293a0e3fc8344b176e6172b -> main (push declined due to repository rule violations)
error: failed to push some refs to 'https://github.com/quay/claircore.git'

[crozzy]

/fast-forward

[github-actions]

Triggered from #1904 (comment) by @​crozzy.

Trying to fast forward main (5463b73) to fix-vex-link-bugs (8c73a7e).

Target branch (main):

commit 5463b737ba7fa9c02a56b503e0306fbd0132fc55 (HEAD -> main, origin/main)
Author: dependabot[bot] <dependabot[bot]@users.noreply.github.com>
Date:   Fri Jun 12 18:15:08 2026 +0000

    chore(deps): bump the golang-x group across 1 directory with 2 updates
    
    Bumps the golang-x group with 2 updates in the / directory: [golang.org/x/net](https://github.com/golang/net) and [golang.org/x/tools](https://github.com/golang/tools).
    
    
    Updates `golang.org/x/net` from 0.55.0 to 0.56.0
    - [Commits](https://github.com/golang/net/compare/v0.55.0...v0.56.0)
    
    Updates `golang.org/x/tools` from 0.45.0 to 0.46.0
    - [Release notes](https://github.com/golang/tools/releases)
    - [Commits](https://github.com/golang/tools/compare/v0.45.0...v0.46.0)
    
    ---
    updated-dependencies:
    - dependency-name: golang.org/x/net
      dependency-version: 0.56.0
      dependency-type: direct:production
      update-type: version-update:semver-minor
      dependency-group: golang-x
    - dependency-name: golang.org/x/tools
      dependency-version: 0.46.0
      dependency-type: direct:production
      update-type: version-update:semver-minor
      dependency-group: golang-x
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>

Pull request (fix-vex-link-bugs):

commit 8c73a7e20d31c1eb5293a0e3fc8344b176e6172b (pull_request/fix-vex-link-bugs)
Author: Joseph Crosland <jcroslan@redhat.com>
Date:   Wed Jun 3 08:40:27 2026 -0700

    vex: only check vendor_fix remediations
    
    RHSA links were being lost for vulnerabilities where the productID had
    multiple remediations and the last one (without a `url` was winning).
    This change modifies populateRemediations to only consider `vendor_fix`
    remediations.
    
    Signed-off-by: crozzy <joseph.crosland@gmail.com>

Fast forwarding main (5463b73) to fix-vex-link-bugs (8c73a7e).

$ git push origin 8c73a7e20d31c1eb5293a0e3fc8344b176e6172b:main
remote: error: GH013: Repository rule violations found for refs/heads/main.        
remote: Review all repository rules at https://github.com/quay/claircore/rules?ref=refs%2Fheads%2Fmain        
remote: 
remote: - Waiting on code owner review from quay/clair.        
remote: 
To https://github.com/quay/claircore.git
 ! [remote rejected]   8c73a7e20d31c1eb5293a0e3fc8344b176e6172b -> main (push declined due to repository rule violations)
error: failed to push some refs to 'https://github.com/quay/claircore.git'

[vulerh]

Approved! thanks

[crozzy]

/fast-forward