There are situations where the VEX data ingested isn't specific enough for the matcher, specifically when the rpm is installed as part of a module. Initially, we'd discussed ignoring the module data in both the ingestion and the matching but I think maybe it's better to parse the VEX module data and add it to the vulnerability information for more specific matching. Currently, we're inbetween, i.e. not ingesting the module data but the matcher still checks for it, most of the time that is fine because packages weren't installed via modules, but occasionally it can cause issues.