From 51e8b4f04e286d2e82dac1aca048de16fa17764d Mon Sep 17 00:00:00 2001
From: knqyf263 <knqyf263@gmail.com>
Date: Thu, 6 Jun 2024 17:01:06 +0400
Subject: [PATCH] docs: add a note about relationships

Signed-off-by: knqyf263 <knqyf263@gmail.com>
---
 docs/docs/supply-chain/vex.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/docs/supply-chain/vex.md b/docs/docs/supply-chain/vex.md
index 01163f4f8811..0ceaeeeb67b3 100644
--- a/docs/docs/supply-chain/vex.md
+++ b/docs/docs/supply-chain/vex.md
@@ -510,6 +510,11 @@ Now, suppose a VEX statement is issued for `Module B` as follows:
 ```
 
 It declares that `Module B` is not affected by CVE-XXXX-YYYY on `Module C`.
+
+!!! note
+    The VEX in this example defines the relationship between `Module B` and `Module C`.
+    However, as Trivy traverses all parents from vulnerable packages, it is also possible to define a VEX for the relationship between a vulnerable package and any parent, such as `Module A` and `Module C`, etc.
+
 Mapping this VEX onto the dependency tree would look like this:
 
 ```mermaid