What would you like to be added:

Grype has a --by-cve option, which provides an output that seems more intuitive to many stakeholders, since it orients the matches around the NVD CVE as the identifier, rather than using other ecosystem identifiers (e.g. GHSA, ALAS, etc.) depending on which the vulnerability was matched. However, right now the switch from grype's default output to the --by-cve output is somewhat lossy. The request in this issue is to raise the quality of information presented by grype in --by-cve to be >= to that presented by the default grype output, with the possible future goal of making the --by-cve output the default in the future.

This is a tracking issue with several sup issues:

• Duplicate CVE due to --by-cve lacks FIXED-IN data #1202
• --by-cve reorients everything (severity, cvss, etc) around the NVD score, which is not always going to be desired.
• --by-cve causes a significant increase in the number of reported vulns for Amazon and Oracle since a single ELSA or ALSA identifier may fix a huge number of CVE’s

Why is this needed:

--by-cve is preferred by many users, and they should be able to use it without the above caveats.