When I was tested joomla sites by the joomscan, I found the incorrect report about components vulnerability.
It's 2 issues. Please fix it.

1. Not report vulnerability even if sites has components vulnerability.
   I guess root cause is variable scope that is incorrect.
   In the components.pl, variable as comversion is use in version compare.
   So you shouldn't define at line 47 with local variable.
   (for example, define at 42(my $comversion) then use at 47($comversion = $1))

2. Not report CVE reference.
   I guess root cause is compare the strings that is incorrect.
   In the components.pl at line 78, you should compare @matches[3] and /^-$/ because of /-/ is used as null at local vulnerability db.

Executed command
perl joomscan.pl --url <URL> --ec

Actual report

Name: *****
Location : <URL>/components/<com>/
Directory listing is enabled : <URL>/components/<com>/
Installed version : *.*
[!] We found the component "****", but since the component version was not available we
cannot ensure that it's vulnerable, please test it yourself.             <- incorrect
Title : **** 
Reference : https://www.exploit-db.com/exploits/****
Fixed in : *.*

Expected report

Name: *****
Location : <URL>/components/<com>/
Directory listing is enabled : <URL>/components/<com>/
Installed version : *.*
[!] We found the component "****".                          <- expect
Title : ****
Reference : http://www.cvedetails.com/cve/****              <- expect
Reference : https://www.exploit-db.com/exploits/****
Fixed in : *.*