I've done some more testing with Clair v4 versions 3.4.6 and 3.5.3 on the same database with the same set of vulnerabilities for two different images:

Quay 2.8.0 (based on Xenial)
Quay 3.3.4 (based on RHEL 7)

For Quay 2.8.0 Clair v4 3.5.3 does not show any Ubuntu related vulnerabiltiies (72 detected vulnerabilities), but Clair v4 3.4.6 does (446 detected vulnerabilities), on the same database vulnerabilty. Checking the db directly we can see that there are 277 thousand vulnerabilities reported for Xenial:

clair=# select count(*) from vuln where dist_version_code_name = 'xenial';
 count  
--------
 277904
(1 row)

For the RHEL image, both scanners show vulnerabilities but there's a huge discrepancy between the number of detected ones: 3.4.6 reports 72 detected vulnerabilities (Quay.io shows only 12 vulnerabilities, but it cannot detect Python packages, for example), while 3.5.3 reports an astonishing number of 1709 vulnerabilities. Furthermore, Clair v4 3.5.3 shows vulnerabilities for CVEs thare are not applicable for RHEL. For instance:

https://access.redhat.com/security/cve/cve-2017-15107

This CVE is listed for the dnsmasq package inside Quay's image but according to our own errata, our dnsmasq is not vulnerable to this CVE.

It is very strange that two separate versions of Clair which are only a month apart would give such a different scanning result for the same image for the same db backend. Can you please check these findings? Thanks!