Today we tend to keep records from different providers from "crossing streams" and affecting one another. However, we're missing out on the opportunity to take incomplete vendor records and fill in missing data with data that is already on the upstream canonical NVD record.
anchore/grype#2620 is a good example of this; Canonical hasn't triaged this for many older distro versions, thus we assume that all versions are vulnerable, but the NVD record does specify a range that could be applied when matching on the ubuntu record directly.
Today we tend to keep records from different providers from "crossing streams" and affecting one another. However, we're missing out on the opportunity to take incomplete vendor records and fill in missing data with data that is already on the upstream canonical NVD record.
anchore/grype#2620 is a good example of this; Canonical hasn't triaged this for many older distro versions, thus we assume that all versions are vulnerable, but the NVD record does specify a range that could be applied when matching on the ubuntu record directly.