The OVAL v2 feeds assign each unfixed OpenShift vulnerability CPE to the next, unreleased version of OpenShift. This does not work with ClairCore's vulnerability matching mechanism, as this version does not exist...

This CPE is meant to indicate each version of OpenShift below the given version is affected.

Let's just focus on OpenShift 4.x (I'm not sure if OpenShift 3.11 is affected). ACS currently looks for CPEs which match the following regex:

^cpe:/a:redhat:openshift:(?P<openshiftVersion>4(\.(?P<minorVersion>\d+))?)(::el8|::el9)?$

If it finds a matching CPE, then ACS creates an entry for each OpenShift version 4.0 - the version in the given CPE.

Note: Prod Sec has considered just showing OpenShift 4 without the minor version, so it's possible this may need to be accounted for...