Scanning SBOM of unsupported OS produces empty vuln json

[Bah-bah]

Hi!
I was experimenting with scanning of various OS images and came across this case. I got Fedora official docker image
docker pull fedora
made SBOM of it
docker run -v /dir/app aquasec/trivy rootfs app/fedora-fs/ --format cyclonedx --scanners vuln -q > image.cyclonedx
and then scan resulting SBOM
docker run -v /dir:/app aquasec/trivy sbom app/image.cyclonedx --format json -q > image-rootfs.json
As I can see here Trivy doesn't support Fedora. And I expected it at least to show me warning message about unsupported OS or even fail on some step (on scan, for example). Instead, I got valid SBOM with Fedora's packages and short scan results' json without Results section and any mention of unsupported OS.
Here it is:

{
  "SchemaVersion": 2,
  "CreatedAt": "2024-05-04T08:03:28.276474256Z",
  "ArtifactName": "app/fedora.cyclonedx",
  "ArtifactType": "cyclonedx",
  "Metadata": {
    "OS": {
      "Family": "fedora",
      "Name": "40"
    },
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  }
}

It's interesting that running image command shows the desired warning:

viktorlapin$ docker run aquasec/trivy image fedora
5-04T08:26:56Z	INFO	Vulnerability scanning is enabled
2024-05-04T08:26:56Z	INFO	Secret scanning is enabled
2024-05-04T08:26:56Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-04T08:26:56Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-04T08:27:07Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="libcomps" version="0.1.20"
2024-05-04T08:27:07Z	INFO	Detected OS	family="fedora" version="40"
2024-05-04T08:27:07Z	WARN	Unsupported os	family="fedora"
2024-05-04T08:27:07Z	INFO	Number of language-specific files	num=0

The main question here is: Do I have a way to distinguish between scanning of unsupported OS and scan result without vulnerabilities?

[Bah-bah]

Any thoughts on this matter?