Merge pull request #100 from chainguard-dev/tazinprogga-patch-1

pdeslaur · web-flow · commit 9c6fa67022dd · 2026-01-06T12:17:36.000-08:00
Update scanning_implementation.md
diff --git a/libraries/scanning_implementation.md b/libraries/scanning_implementation.md
@@ -21,7 +21,7 @@ Use your scanner's existing methods to detect library packages. The key requirem
 
 - **Python**: `werkzeug==3.0.2+cgr.0` (the `+cgr.0` suffix is critical)
 
-**Important:** Remediated packages use local version identifiers (e.g., `+cgr.0`) to distinguish them from upstream versions. Your scanner must preserve these identifiers to correctly match VEX statements.
+**Important:** Remediated packages use local version identifiers (e.g., `+cgr.0`) to distinguish them from upstream versions. Your scanner must preserve these identifiers to correctly match VEX statements. The version identifier can be accessed from a lock file and/or after the dependency resolution step for ingestion.
 
 When scanning declared dependencies (like `requirements.txt`), be aware that the declared version may differ from the actually installed version. For best results, scan the installed environment (Python virtual environments) rather than just lock files.
 
