Currently, a whitelist rule matches are atomic. This means if there are some CVEs for a given package covered by a whitelist rule and some are not, the whole set of CVEs is reported again. This goes against users' expectations.

For example, see NixOS/nixpkgs#42882 - exiv2 got a few new CVEs but most of them have already been covered in previous vulnerability roundups and have been added to the whitelist.

It would be better to report non-whitelisted CVEs only.

Fixed in cce1720