In looking at RHSA-2024:7484 (https://access.redhat.com/errata/RHSA-2024:7484) we can see that it applies to regular RHEL as well as the subscription models EUS and AUS. In the CSAF advisory we only have the one product family:
{ "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux BaseOS (v. 9)", "product": { "name": "Red Hat Enterprise Linux BaseOS (v. 9)", "product_id": "BaseOS-9.4.0.Z.MAIN.EUS", "product_identification_helper":

} } ], "category": "product_family", "name": "Red Hat Enterprise Linux" },
 
That one CPE points us to a repository list (https://security.access.redhat.com/data/metrics/repository-to-cpe.json) that explicitly excludes the baseos repositories for the subscription branches. It contains content/dist/rhel9/9.4/x86_64/baseos/os but not content/eus/rhel9/9.4/x86_64/baseos/os. This is causing false negatives on RHEL 9.4 EUS installations.

I'm not sure whether the solution would be to include the baseos repos for both subscription and non-subscription in the baseos CPE or to have the CSAF include the CPEs for all of the subscription models that it applies to in addition to the normal baseos CPE so that we can properly have a list of all of the repositories that are relevant. Without that list, the repository filtering we do (at Redhat's instruction) loses some meaning because it excludes machines that should be flagged as vulnerable.