Currently there are a set of criteria for each RHSA. If there are multiple CVEs attached to that RHSA then the CVE-to-build mapping is not taken into account.

Take for example RHSA-2021:2437, it addresses CVEs in these packages, from the CVE-to-build mapping:

CVE-2021-21419 - python-eventlet
CVE-2021-21623 - jenkins
CVE-2021-21639 - jenkins
CVE-2021-21640 - jenkins
CVE-2021-21648 - jenkins-2-plugins
CVE-2021-25735 - openshift
CVE-2021-25737 - openshift
CVE-2021-3121 - openshift, openshift-clients
CVE-2021-3636 - openshift
CVE-2021-3114 - ignition

However using the OVAL data, a match for any affected RPM version returns a positive result for all CVEs.

Expected Results :

A match for a vulnerable RPM should only match with the CVE which is relevant. Eg. a match for ignition should only show vulnerable to CVE-2021-3114, and none of the other CVEs.

Business Justification :

This was requested by Matan from JFrog, via the security scanning technical exchange.