** Note that this is a public ticket, please refrain from adding any sensitive data. **

Description of Problem

Vulnerabilities API inconsistent and somewhat confusing, especially when trying to page through results for systems. Can start at basically page 1 with the default page_size for a given host and get mixed results each time.

As an example, calls to the following endpoint...

https://console.redhat.com/api/vulnerability/v1/systems/1a1b9120-2a1c-4e00-9c8f-f8520a54f4a3/cves

will almost always give a different value for meta.total_items each time we make the call. This happens across all hosts, making it impossible to either follow "next:" links in the reply, or to try calculate the total number of pages for a given host to use in a loop. Either strategy either omits vulnerabilities for a host or gives a 402 Bad Request error for requesting a page of results that's out of range.

How reproducible

Always

Actual Behavior

Vulnerabilities API inconsistent when trying to page through results for systems

Expected Behavior

Customer expect the total number of CVEs for a host to consistent across requests and in the same order so that they can obtain all the CVE details for a given host.

Business Impact / Additional info

Trying to aggregate CVE data across a number of security tools in the environment. Unreliable results from the Red Hat API stalls the project.