There are CVEs that are not included in the OpenShift and RHEL OVAL.
For example:

CVE-2021-26291 - is included in rhel-8-including-unpatched OVAL, but is not included in the openshift-4-including-unpatched OVAL, when should be because OCP is directly affected by this CVE. 

CVE-2022-30945 - is not included in openshift-4-including-unpatched OVAL when only OCP product is affected by this CVE

Is there any glitch in the OVAL data update process?

This issue has been discovered by one of the customers (IBM) in the certified scanner results.