CVE scans based on apk/db/installed might miss some CVEs


#### Describe the unexpected behaviour

Some small linuxkit or lf-edge/eve* containers only deliver a file or two from an Alpine source.
An examples of that is lfedge/eve-grub which does not have an apk/db/installed file but does have a few binaries from a (patched) Linux package.