I am unable to figure out why its finding rexml 3.28 or if its scanning the wrong image. But I am confident that this is not a vulnerability that can really be exploited for us so I used a file called .trivyignore which is stored at the root. You simply include the CVE number and it will ignore the error.