STAC-25092: vex GO-2026-4610 and CVE-2026-12003 in stackstate-k8s-agent

[dottorblaster]

No description provided.

[LouisLotter]

Tested this against the current dev-chart agent image from today's scan:

quay.io/stackstate/stackstate-k8s-agent:18041034

Result:

• GO-2026-4610 is suppressed correctly by this PR.
• CVE-2026-12003 is not suppressed as submitted, because the current image contains python 3.13.13 while the new statement only scopes the subcomponent as pkg:generic/python@3.12.11.
• The author-tested image quay.io/stackstate/stackstate-k8s-agent:e707010c-amd64 does suppress both, so the VEX shape is fine; it is just stale for the latest dev-chart agent image.

I tested the minimal fix locally by adding pkg:generic/python@3.13.13 alongside pkg:generic/python@3.12.11 in all three CVE-2026-12003 product subcomponent lists. With that change:

• python CVE-2026-12003 is suppressed by Grype.
• github.com/docker/cli GO-2026-4610 remains suppressed by Grype.
• Normal Grype output for stackstate-k8s-agent:18041034 then only shows the two remaining containerd findings:
  • GHSA-xhf5-7wjv-pqxp
  • GHSA-jpcc-p29g-p8mq
• Trivy with the same corrected VEX also only reports the expected containerd findings:
  • CVE-2026-53488
  • CVE-2026-47262

Minimal patch shape:

           "subcomponents": [
             {
               "@id": "pkg:generic/python@3.12.11"
+            },
+            {
+              "@id": "pkg:generic/python@3.13.13"
             }
           ]

This should be applied to the quay, Rancher registry, and bare OCI product entries for the CVE-2026-12003 statement.