Looking at the structure of https://packages.wolfi.dev/os/security.json or chainguard security.json it seems that CVEs are only published for versions where there is a fix available.
Example: Chainguard Images - Advisories - CVE-2023-29406 shows that go-1.21 package is vulnerable. but the security.json consumed by grype doesn’t reflect this.
Is my understanding correct that grype won’t reflect these CVEs? This also holds true for when status is one of Under investigation, Pending upstream fix or Fix not planned as seen on chainguard advisories.