Can't determine the CVE existence in 18.10

Ubuntu 18.10 ("cosmic") is not supported any more ("End of life" status since July 2019).

Even if a patch has ben provided for that CVE - see https://usn.ubuntu.com/3834-1/ - there might be several other vulnerabilities that haven't been patched any more.

It is strongly recommended to upgrade to a supported Ubuntu release in due course.

My question lies in the realm of technical vulnerability detection, not from the distro usage perspective. I am doing a research on various container image scanners and need a way to determine whether vulnerabilities flagged by scanners are TPs of FPs. I can do that fairly easy on LTS releases but looking for a reliable way to do this on semi-annual releases.

In Ubuntu the case is tricky, even for LTS releases.

Ubuntu is no rolling release. This means that package versions usually are not updated to higher versions than the one initially provided with a certain Ubuntu release.
Newer package versions are provided only with newer Ubuntu releases.

If a bug has been detected in a package, then in most cases only the relevant patch is applied to the Ubuntu software, instead of upgrading the whole package to a higher version.

A random example:
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11048.html
PHP versions 7.2.x below 7.2.31 are vulnerable. The solution for Ubuntu bionic (18.04 LTS) was patching php7.2 from version 7.2.24-0ubuntu0.18.04.4 to 7.2.24-0ubuntu0.18.04.6, and not an upgrade to 7.2.31

change log:
  * SECURITY UPDATE: Denial of service through oversized memory allocated
    - debian/patches/CVE-2019-11048.patch: changes types int to size_t
      in main/rfc1867.c.

Vulnerability scanners using version number comparison often will produce false positives when running on Ubuntu.
There is no difference whether it is an LTS or non-LTS release.

Container image scanners traditionally get their library versions from package managers, in Ubuntu case that means running something like this:

dpkg-query --admindir=... -W -f=...

Here is a sample output on 18.10:
bzip2 CVE-2016-3189 1.0.6
coreutils CVE-2016-2781 8.28-1ubuntu2
glibc, libc6 CVE-2016-10739 2.28-0ubuntu1

Isn't this enough to correctly determine the package version (assuming no out-of-dpkg installations)? I am interested to know when this is not the case.

Given the package version as above and the fact that software composition of 18.10 hasn't changed since July 2019, I would expect it would be easier to determine the vulnerability presence on this release.

Ideally I would see applicability of the CVE in the CVE description page (https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11048.html), but it seems you only provide information for semi-annual releases that are under support.

The reason that you do not see Ubuntu 18.10 on https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11048.html (and other CVE pages) is, that Ubuntu 18.10 has entered "End of life" status on July 18, 2019 and it is not supported any more and will no receive any bug fix since that time.

In my opinion it is completely irrelevant whether vulnerability scanners correctly detect flaws in Ubuntu 18.10, because that release is dead. This is somewhat similar to an attempt of checking Windows Vista for CVE bugs.

https://people.canonical.com/~ubuntu-security/cve provides information for all supported Ubuntu releases, and these are certain LTS Releases, and a maximum of three non-LTS releases, currently Ubuntu 19.10 (eoan) and Ubuntu 20.10 (groovy - currently in development).

see https://wiki.ubuntu.com/Releases and https://ubuntu.com/about/release-cycle for the list of supported releases and the conecpt behind.