Most vendors that I am scraping already have a confidence score, which is approximated on a statistical level. For example, can't trust the fixed states of Ubuntu and Debian, so they got a lower confidence score; compared to say, Arch Linux which has the highest confidence in that regard.
Matching package names overall is what I was using the CPEs for initially, but it's way too much overhead to match those in a separate database/table.
There was specific requirements to correctly understand and identify a flaw, I had disputed over 100 CVEs and corrected mitre's scoring of over 300.
Are you considering this situation in your site, when vendors (such as Red Hat) dispute a CVE or disagree with a score ?