Hi @TimBrown1611 thanks for the suggestion!
My concern with this feature is that it would frustrate users, because they might see a CVE, and then upgrade the affected package, and then see it again.
I think a better workaround in the meantime is probably to run Grype and Syft on a subset of the system at a time. For example, you could run Syft with only the RPM cataloger enabled and pass the result to Grype, and then run Syft again with the RPM cataloger disabled and pass the result to Grype. Or maybe it makes sense to use directories instead of catalogers. Will this workaround help you in the meantime?
Also, I want to link back to the existing thread at Improvements to scanning whole machine because these conversations are related.