TL;DR: Currently if a vulnerability doesn't have an associated RHSA we don't ingest it.

After looking through the code it appears that we're not ingesting any oval:com.redhat.cve:def:. definition ids (i.e most likely vulnerabilities that don't have an associated RHSA because they're not patched). I believe there is a historical reason why including these vulns can affect the Container Health Index analysis.
We should get to the bottom of what the container catalog team needs and how we can accommodate both.

Associated PR:
https://github.com/quay/claircore/pull/626