Currently --all-packages flag only adds/includes packages that don't have any vulnerabilities. It should also add packages that have been filtered out because it can't be scanned for whatever reason.

In osvscanner.go after the initial scanning phase we do multiple filtering steps (most of the logic will be in filter.go). Specifically before querying packages are filtered out according to the config rules and according to whether they are scannable or not.

These filtered packages should be set aside somewhere and then re-added back into the final result if the --all-packages flag is passed in.