@Engineer_Matt Try this, just replace with valid CVEs first:
SELECT dvr.reference, asset_id , da.ip_address, round(dv.riskscore::numeric, 0) AS risk
FROM fact_asset_vulnerability_finding favf
JOIN dim_asset da USING (asset_id)
JOIN dim_vulnerability dv USING (vulnerability_id)
JOIN dim_vulnerability_reference dvr using (vulnerability_id)
where dvr.reference in ('CVE-2021-xxxx','CVE-2021-xxxx')
ORDER BY da.ip_address ASC, dv.title ASC
NOTE: Not all R7 vulnerabilities have a CVE reference like you would expect. As of today, there are 124 that are missing a CVE reference but do have a CVE mentioned in the title, description, or ID. I have Raised an R7 support case to try and get them fixed.