fix: No CVEs from Redhat source in output

[marcelkauf]

Description

No CVEs that were imported from the Redhat source are taken into account for CVE scans.

The attached SBOM contains a component qt6-qtbase-0, version 6.8.1-9.el10_0 which is vulnerable to CVE-2025-5455. The CVE was imported from Redhat and is present with the following entry in the cve_range table: CVE-2025-5455,redhat,qt6-qtbase-0,6.8.1-9.el10_0,"","","","",REDHAT

To reproduce

Steps to reproduce the behaviour:

1. Scan the attached SBOM: cve-bin-tool --sbom cyclonedx --sbom-file sbom.json
2. File: sbom.json
3. Expected behaviour: The output contains CVE-2025-5455 for qt6-qtbase-0
4. Actual behaviour: No CVE is displayed

Version/platform info

• Version of CVE-bin-tool( e.g. output of cve-bin-tool --version): 3.4, also present on current main branch (376f864)
• Installed via pipx install cve-bin-tool
• Operating system: Linux 6.12.74+deb13+1-amd64 NVD Database does not match versions which are less than #1 SMP PREEMPT_DYNAMIC Debian 6.12.74-2 (2026-03-08) x86_64 GNU/Linux
• Python version: 3.13.5
• Running in any particular CI environment we should know about? (e.g. Github Actions): no