Update scanning-vendors.md

oaubrey · oaubrey · commit 24e75b0ed3ef · 2025-10-28T10:31:36.000-07:00
diff --git a/docs/scanning-vendors.md b/docs/scanning-vendors.md
@@ -182,12 +182,12 @@ Labels:      License=GPLv2+
  
 From the output above, we can determine the following information for this image:
 
-* Container Name and Repository: `Name:   registry.redhat.io/openshift4/ose-console-rhel9@sha256:4a6ea66336fc875f84f24bf9ebfdf5b7c166eb19dd68d88ec6035392162b4c5a` 
-  * Name: `ose-console-rhel9`
-  * Repository: `registry.redhat.io/openshift4/ose-console-rhel9`
-* Container Architecture: `Arch: amd64` 
-* Container Tag: `release=202409181705.p0.g0b1616c.assembly.stream.el9`
-* OpenShift version: `version=v4.16.0`
+  * Container Name and Repository: `Name:   registry.redhat.io/openshift4/ose-console-rhel9@sha256:4a6ea66336fc875f84f24bf9ebfdf5b7c166eb19dd68d88ec6035392162b4c5a` 
+    * Name: `ose-console-rhel9`
+    * Repository: `registry.redhat.io/openshift4/ose-console-rhel9`
+  * Container Architecture: `Arch: amd64`
+  * Container Tag: `release=202409181705.p0.g0b1616c.assembly.stream.el9`
+  * OpenShift version: `version=v4.16.0`
 
 Using this information, we can represent this container image with the following purl.
 ```
@@ -399,13 +399,13 @@ found [here](https://redhatproductsecurity.github.io/security-data-guidelines/cs
 #### CPEs in CSAF-VEX
 CPEs in CSAF advisories and VEX data are represented slightly different based on fix status.
 
-* Unfixed: Includes the `under_investigation`, `known_affected` and most `known_not_affected` product statuses
-  * Product version: Unfixed products will only include the major product version in the CPE
-  * Channel specifiers: Channel specifiers will not be included in CPEs (only applicable to RHEL 9 and before)
-* Fixed: Includes all `fixed` product status and the occasional `known_not-affected` product statuses
-  * Product version:
-    * RHEL 9 and before: Fixed products will include a major version for main stream products and a major and minor version for xUS streams
-    * RHEL 10: Fixed products will include a major and minor version for both main and xUS streams
+  * Unfixed: Includes the `under_investigation`, `known_affected` and most `known_not_affected` product statuses
+    * Product version: Unfixed products will only include the major product version in the CPE
+    * Channel specifiers: Channel specifiers will not be included in CPEs (only applicable to RHEL 9 and before)
+  * Fixed: Includes all `fixed` product status and the occasional `known_not-affected` product statuses
+    * Product version:
+      * RHEL 9 and before: Fixed products will include a major version for main stream products and a major and minor version for xUS streams
+      * RHEL 10: Fixed products will include a major and minor version for both main and xUS streams
     * Channel specifiers: Channel specifiers will be included for CPEs (only applicable to RHEL 9 and before)
 
 #### CPE Matching Logic
@@ -484,13 +484,13 @@ components and then format the appropriate purls to match to `product_version` e
 #### Purls in CSAF-VEX
 Similarly to CPEs, purls in CSAF advisories and VEX data are represented differently based on fix status.
 
-* Unfixed: Includes the `under_investigation`, `known_affected` and most `known_not_affected` product statuses
-  * Component version: All unfixed components, both `rpm` and `oci` purl formats will not include any component versioning
-  * Architecture: SRPMs will have the qualifier `arch=src`, but both binary RPMs and container will not include any
-    architecture information
-* Fixed: Includes all `fixed` product status and the occasional `known_not_affected` product statuses
-  * Component version: All fixed components will include versioning in  the `rpm` and `oci` purl formats
-  * Architecture: All fixed components will include architecture information in the `rpm` and `oci` purl formats
+  * Unfixed: Includes the `under_investigation`, `known_affected` and most `known_not_affected` product statuses
+    * Component version: All unfixed components, both `rpm` and `oci` purl formats will not include any component versioning
+    * Architecture: SRPMs will have the qualifier `arch=src`, but both binary RPMs and container will not include any
+      architecture information 
+  * Fixed: Includes all `fixed` product status and the occasional `known_not_affected` product statuses
+    * Component version: All fixed components will include versioning in  the `rpm` and `oci` purl formats
+    * Architecture: All fixed components will include architecture information in the `rpm` and `oci` purl formats
 
 #### Purl Matching Logic
 As seen above, purls in CSAF advisories and VEX files can be represented differently based on fix status. When attempting
