Note: I tried for some time to fix this but to no avail so I'm creating the ticket to document the issue in the hopes someone else could work on it/help without having to start from zero.

TL;DR - There are packages that exist on the file-system of an image that the rpm command confirms are installed, claircore cannot find these packages. This seems to only affect BDB RPM databases.

Example:

Image:

registry.access.redhat.com/ubi7/nodejs-8@sha256:20f19e05b7db0bc15d32a62c3dbed1e4c5fa6b7d35c3bc1e76b642cebc6b6bc2

Missing packages:

• rh-nodejs8-nodejs-buffer-shims
• rh-nodejs8-nodejs-ignore-by-default
• rh-nodejs8-nodejs-imurmurhash
• rh-nodejs8-nodejs-is-npm
• rh-nodejs8-nodejs-os-homedir
• rh-nodejs8-nodejs-path-is-absolute

These package NVRs are in the raw bytes of the Packages DB, but for some reason they don't end up in the headers.

Note: Other vuln analyzers also apparently miss these packages.