Mark projects as vulnerable in CVS logic

What does this MR do and why?

This change makes sure the projects are marked as vulnerable in continuous vulnerability scanning logic.