The products and vendors, which are listed in the affected Column of a CVE are often not vulnerable.
For example:
The CVE-2021-44738 has multiple configurations, but only one of each configuration is vulnerable.
From the first configuration only "b2236_firmware" is vulnerable, but not "b2236", if you check the JSON object.

The solution would be to change the function convert_cve in opencve/utils.py.
Instead of just using the nested_lookup for the cpe23Uri, there could be a if-statement, checking if the boolean for vulnerable is True.

If there is a intend, that, for example the OS or the hardware is listed as affected in a CVE, then there could be another possibility to differentiate between associated and vulnerable products. The problem without distinction is, that, via the mail-service, the users gets a lot of notifications, which are not relevant, if he/she doesn't have the actual vulnerable software installed.

PS. big fan of this project, keep the good work up 😄