BigFix recently published a new KB article that addresses how to keep BigFix Compliance from over-reporting CVEs.
The contents of the KB article can be found here:
SCA Vulnerability domain may report more CVEs than expected
For additional background, see this KB article:
Why are my machines not relevant for any superseded fixlets?