Finding list of packages vulnerable to a given CVE

Apart from downloading the redhat OVAL files, and interpreting them to find vulnerable packages, is there any way to get a relation ship between CVE's and affected packages?

We have looked at Satellite (5.6). And indeed it does have an API call (listPackages) that is documented as returning a list of affected packages for a particular Errata (Which can easily be related to CVE's), However affected in this case appears to be a list of packages that FIX a given problem. Not those that are vulnerable to it. As some vulnerabilities (e.g. the recent openSSL issues) get introduced and fixed fairly quickly, I don't want to mark anything PRIOR to the fixed version as that causes issues due to all the false positives.

Does anyone have a solution?

• I also know that if we registered a server with satellite we'd be able to get a list from the systemnamespace (system.getRelevantErrata.. & getRelevantErrataByType, But I need to be able to do this for arbitrary packages. Not necessarily ones installed on servers).

TIA
Hamish