While reviewing the contents of the scap-data.tar.gz archive from scap-data image, I noticed that there are quite a few duplicates of the CVE files.
I’m not 100% certain if these files are currently necessary for the system, but it seems like they might be legacy data: nvdcve-2.0-[year].xml. gvmd uses nvdcve-2.0-[year].json.gz instead.
If they are truly not used, removing them could significantly reduce extracted size and make updates faster to download.