Hi,
Microsoft Defender for Cloud has a recommendation, "Container registry images should have vulnerability findings resolved." where all the vulnerabilities (CVEs) in container images get listed. Normally all these entries have a list (1:n) of references to CVE on https://cve.mitre.org/. Since a few days, the relation switched to (0:n), and many existing entries lost the reference to the CVEs. I know this because I have software which loads this so-called "SecuritySubAssessment" via the java SDK. Does somebody have an idea why this happened?
Edit:
After more analyses, it looks like it's somehow connected to the property "Vendor references" under "Additional information". In all cases where a CVE is set, there is also a "Vendor references" set.
On the other hand, if no CVE reference is set, only < 1% of the findings have a "Vendor references" set...