The affected_cpe_list in the including-unpatched OCP 4 OVAL files lists these CPEs:

$ rg 'cpe:' rhel7_openshift-4-including-unpatched.oval.xml | head -1
    <cpe>cpe:/a:redhat:openshift:4.9</cpe>
$ rg 'cpe:' rhel8_openshift-4-including-unpatched.oval.xml | head -1
    <cpe>cpe:/a:redhat:openshift:4.9</cpe>

It should show the latest version of OCP 4, which at this point is 4.12. Fix the sorting mechanism that finds the latest versions to use int comparisons instead of string comparison.