We are running into some issues when scanning containers, in order to find vulnerabilities on third-party dependencies.
First, I'd like to know how this works? Is it possible that this feature looks for dependencies added in Dockerfiles only?
This is the situation: I have a container with known vulnerabilities. I triggered the scan, and it found vulnerabilities I was not expecting to find, since they are not part of jars present on the container.
I have listed all the jars in the container, and all the dependencies that Qualys reported, are not there; and after a deeper analysis, I found that they are present on the Dockerfile only.
So, my question is, why all this jars, present on the container are skipped? Is it expected or there is something we need to set up in order to include them in the scan?