We are encountering a situation where a RedHat system is subscribed to multiple repositories including BaseOS, Appstream, and RedHat for SAP Solutions.  We are running into a situation where our scanners (Nessus) are flagging the system as vulnerable because the system is subscribed to Base OS and the package we're comparing against is from a Base.  For example :

RHSA-2024:0500 applies to RedHat for SAP Solutions

RHSA-2024:0310 is the equivalent advisory for RedHat Base/Appstream

Other than the version numbers and el_strings there isn't a any artifact I've found to help indicate if the package should be tied to the RedHat for SAP Solutions advisory or the Base/App-stream specific advisory.  We can be mores strict and match on the `el_string` but we've found that produces false negatives for systems that upgrade from one minor release to the next.