Description of problem:
Quay's image scanner seems to only detect CVEs if there is a fix made available instead of displaying all known CVEs in a image container.

Version-Release number of selected component (if applicable):

How reproducible:
Always

Steps to Reproduce:
1. Build an image based off of UBI8 and install pcre2
2. Let the vulnerable scanner run and see all green
3. Compare verify pcre2 is on version 10.32-1
4. https://access.redhat.com/security/cve/CVE-2019-20454

Actual results:
The image security scan passed

Expected results:
The security scan should not pass and flag the image with a known public CVE