V1.20 reports not consistent with scout.docker.com

[darkedges]

Take a look at https://scout.docker.com/reports/org/darkedges/images/host/hub.docker.com/repo/darkedges%2Fpingaccess/tag/8.3.4-hi/digest/sha256%3Aecc648a974434c9cc9bdafe6fa32563a7a8c3f8ec8b4c52dc969216a477d4487/exceptions

it reports

but when ran via the comand line

docker scout cves darkedges/pingaccess:8.3.4-hi              
    i New version 1.21.0 available (installed version is 1.20.0) at https://github.com/docker/scout-cli
    v SBOM obtained from attestation, 278 packages found
    v Provenance obtained from attestation
    v VEX statements obtained from attestation
    x Detected 29 vulnerable packages with a total of 52 vulnerabilities

When I get an use the vex locally

docker scout vex get darkedges/pingaccess:8.3.4-hi --output pa-vex.json
    i New version 1.21.0 available (installed version is 1.20.0) at https://github.com/docker/scout-cli
    v SBOM obtained from attestation, 278 packages found
    v Provenance obtained from attestation
    v Found 53 VEX attestations for image
    v Report written to pa-vex.json

docker scout cves darkedges/pingaccess:8.3.4-hi --vex-location pa-vex.json
    i New version 1.21.0 available (installed version is 1.20.0) at https://github.com/docker/scout-cli
    v SBOM obtained from attestation, 278 packages found
    v Provenance obtained from attestation
    v Loaded 1 VEX document
    v VEX statements obtained from attestation
    x Detected 8 vulnerable packages with a total of 6 vulnerabilities

it appears that I am not able to get a consistent view.

• CLI without a local vex shows all vulnerability despites having a status of not affected [vulnerable code not in execute path]
• CLI with local vex extract from container shows more vulnerabilities than the web interface.

Vex Statements are at https://github.com/darkedges/trivy-vex-demo/blob/main/vex/statements-scout-darkedges/