We are ingesting the RedHat VEX CVE cve-2023-6597.json, which contains the following "product_status" details:

 
"product_status":

{ "fixed": [ ... "AppStream-8.10.0.Z.MAIN.EUS:python39:3.9:8100020240516111311:d47b87a4:python-urllib3-0:1.25.10-5.module+el8.10.0+20443+f0a692fe.src", ... ] "known_not_affected": [ ... "red_hat_enterprise_linux_8:python36:3.6/python36" ... ] }

This data is generating the following entry in our system, which applies to any Python version:

 
{{

{ "cve": "CVE-2023-6597", "distro": "redhat-vex", "distro_release": "RHEL8", "type": "package", "package": "python-urllib3", "security_repo_pkg": false, "severity": "high", "status": "fixed in 1.25.10-5.module+el8.10.0+20443+f0a692fe", "cvss": 7.8, "rules": null, "conditions": [["<1.25.10-5.module+el8.10.0+20443+f0a692fe"]], "modified": 1725802267, "fixDate": 1716989499, "link_id": "RHSA-2024:3466", "affected_cpes": [3322022597], "affected_cpes_uuid": "7047a33d-e003-928b-8be9-61a2bff32018", "rh_general_severity": "high", "originBuilder": "redhat-vex" }

}}
The issue arises because we do not correlate python-urllib3 with the specific Python version (e.g., Python 3.9), As a result, we generate false positives (FPs).
In the above example, we cannot distinguish whether the python-urllib3 package is for Python 3.9 or Python 3.6 (the latter is marked as "not affected" in the RedHat VEX document).

regarding python3.6, the VEX document points that this python product is declared as a `rpmmod`
{ "category": "product_version", "name": "python36:3.6/python36", "product": { "name": "python36:3.6/python36", "product_id": "python36:3.6/python36", "product_identification_helper":

{ "purl": "pkg:rpmmod/redhat/python36:3.6/python36" }

} },

Would the support for modules help resolve this issue?
How can we establish a connection between the Python version and the associated vulnerable package?
Please help us understand the logic we need to implement in order to achieve support for those cases.