Cve output different result depending on cve-bin-tool version?

[hdxtreeem]

Description

I am testing cve-bin-tool and get different output of vulnerabilities using version from pip 3.4.0 and directly installing from git source. Is there any different checking when using the different version? Because it gives no vulnerabilities with latest git version (3.4.1?) and 5 vulnerabilities with 3.4.0.

To reproduce

Steps to reproduce the behaviour:

1. pip3 install cve-bin-tool
2. run cve bin tool on spdx file with pip cve install
3. then same with git source: pip3 install --user git+https://github.com/ossf/cve-bin-tool.git
4. run cve bin tool on spdx file with cve git source install

Expected behaviour: same output
Actual behaviour: different output with different versions

Version/platform info

Version of CVE-bin-tool( e.g. output of cve-bin-tool --version): 3.4.0 ad 3.4.1
Installed from pypi or github? installed from both
Operating system: Linux/Windows (other platforms are unsupported but feel free to report issues anyhow)

• On Linux (or Windows Subsystem for Linux) you can run uname -a
• On Windows you can run systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
  Python version (e.g. python3 --version):
  Running in any particular CI environment we should know about? (e.g. Github Actions)

Anything else?

nope

[ffontaine]

We’ve been experiencing an issue with the NVD mirror for at least a week. Commit c8c427d should resolve it.
Could you please retest using a fresh Git install? (Make sure to clear the cache located at ~/.cache/cve-bin-tool on Linux.)
If the issue persists, could you share the SPDX file you’re using?