Relation between NVTs and CVEs


I have a probably very basic question about the logic how a scan is executed: is it correct that NVTs can be either generic OR specific for certain operating systems?

For example, if a CVE exists for a certain .jar file and there’s an NVT for CentOS 8, but not for RHEL 8, would a report for a RHEL 8 system then not show a result for this CVE, even if the scan config contains the local security checks for CentOS?

What should I read to better understand how NVTs, CPEs and CVEs fit together and why I sometimes don’t see results I would expect?



GVM versions

gsad: Greenbone Security Assistant 21.4.2
gvmd: Greenbone Vulnerability Manager 21.4.3
openvas-scanner: OpenVAS 21.4.2
gvm-libs: gvm-libs 21.4.2


Operating system: Rocky Linux release 8.5 (Green Obsidian)
Kernel: Linux greenbone 4.18.0-348.2.1.el8_5.x86_64 #1 SMP Tue Nov 16 14:42:35 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Installation method / source: dnf /$releasever-$basearch