I encountered this issue while working on a project to retrieve and parse CVE data, along with the related metadata, directly from the Grype DB. I noticed that a significant portion of CVEs (about 40%) were missing from the main vulnerability table, even though they were listed in the metadata. CVE-2020-0001 was just an example; this issue affects a substantial number of entries.
The absence of component data for these CVEs is causing problems in our matching process, as we rely on the full set of vulnerability information for accurate results. This gap makes it difficult to account for all vulnerabilities effectively.
This issue is also related to another question I posted, where I encountered discrepancies between expected and actual artifact names in the DB. These missing entries are adding to the challenges in aligning and cross-referencing CVE data accurately.