RHSA vulnerability not detected

[adrianmarcu18]

Is this a request for help?:
Not a request for help.

Is this a BUG REPORT or a FEATURE REQUEST? (choose one):
Bug report

Version of Anchore Engine and Anchore CLI if applicable:
v1.1.0

What happened:
High Vulnerability RHSA-2022:0666 (CVE-2022-24407) not detected for RHEL 7 images.

What did you expect to happen:
Vulnerability CVE-2022-24407 to be detected on RHEL 7 images.

Any relevant log output from /var/log/anchore:
No relevant logs are needed.

What docker images are you using:
Centos 7 base images.

How to reproduce the issue:
Analyze any Centos 7 image with cyrus-sasl-lib:2.1.26-23.el7 package (or lower version). No vulnerabilities will be found.

Anything else we need to know:
Upon checking the latest version of the grypedb (as of today 07.03.2022), if we filter out on CVE-2022-24407, we can see that RHEL sources are not there. Only debian, sles and ubuntu listed.
The latest rhel7 vulnerability listed in grype is CVE-2022-25315, which was published on 19.02.2022.
The vulnerability which is not detected is from 22.02.2022

[adrianmarcu18]

In the meantime it seems the grypedb has been updated with the latest vulnerabilities, including the one mentioned above. Would be nice to have some root cause for the issue so that we can have more trust in grypedb being up to date.

[zhill]

We recently identified an issue with the RedHat security API returning 403s intermittently during the grype db build process. We made some configuration changes to reduce the likelihood of what appears to be rate-limiting and are no longer seeing the issues and continue to monitor the situation to ensure builds continue daily as expected.