This config false by default (meaning packages that are kernel header files will not be matched against CVEs against the kernel itself) but I think since you’re scanning a VM, you’re finding actual kernel-modules and kernel-core, and not just header files whose source RPM is the kernel.
I think in this case Grype’s output is correct, it’s just really noisy because there are a lot of CVEs involving the kernel.
This is might a special case of making Grype’s output more focused. In particular, we’re starting to think about ways to make Grype’s output be grouped by CVE, or by package, or something. (Right now it’s grouped by “match,” that is, by each package<>CVE pair.)