We skip some important information about security vulnerabilities if port epoch > 1.
server1# pkg audit nginx-1.20.0_2,1
nginx-1.20.0_2,1 is vulnerable:
Works well. But if we change the epoch to 2:
server1# pkg audit nginx-1.20.0_2,2
0 problem(s) in 0 installed package(s) found.
The nginx port is currently at epoch 2.
% pkg audit nginx-1.20.0_2,2
nginx-1.20.0_2,2 is vulnerable:
NGINX -- 1-byte memory overwrite in resolver
1 problem(s) in 1 installed package(s) found.
I suspect your vuln.xml file is/was out of date. This was fixed in c2a2f2b35ad4:
Note that because of a syntax error introduced in c7737d4b2e5d on 2021-06-10, the vuln.xml file has not been updated until approximately an hour ago. The build was fixed in 46119dd553f1:
See also #256789