It is a follow-up to the investigation of JENKINS-50480...

1) Docker Traceability API library has no Whitelist manifest entry, so the classes in it will be likely rejected. There is a critical class for fingerprinting: https://github.com/jenkinsci/docker-traceability-plugin/blob/49141a86d41269799e00161a02ac72e9aa9a3a15/docker-traceability-api/src/main/java/org/jenkinsci/plugins/docker/traceability/api/DockerTraceabilityReport.java#L51
2) Docker Traceability includes shaded versions of Docker Java classes. Since shading happens in a separate JAR, it likely also needs whittelisting