Looking at the structure of https://packages.wolfi.dev/os/security.json or chainguard security.json it seems that CVEs are only published for versions where there is a fix available.
Is my understanding correct that grype won’t reflect these CVEs? This also holds true for when status is one of Under investigation, Pending upstream fix or Fix not planned as seen on chainguard advisories.
Additionally, for package types that are covered by GitHub Security Advisories (for example, if the APK package includes a Ruby gem or Python package), Grype will search GitHub security advisory data for vulnerabilities about those packages.