Just to give a bit of context: One of the problem publishing severities as-is is looking less secure while actually not true. For example publishing docker images to quay.io for several distribution will make debian look worse than others.
| Tag | Last Modified | Security Scan | ----------------------------------------------------------- | ubuntu-20.04-java | an hour ago | 5 Medium | | debian-11-java | 2 hours ago | 1 High | | centos-7 | 6 hours ago | Passed | Here debian reports https://security-tracker.debian.org/tracker/CVE-2021-33574 as High but this CVE only seem to affect glibc 2.32 & 2.33 while all versions of debian (but sid) have 2.31 or earlier so shouldn't be affected. RedHat/Fedora bug tracker clearly stated that and Ubuntu has the CVE in "Triage" status so it doesn't show up in the scan report in quay.io (and I guess in many other scanning tool which rely on distribution security bug trackers)