Because some vendors maintain multiple major versions of a software package simultaneously, when a vulnerability/CVE is found, vendors must introduce a fix for each maintained major version of the software package. Lacework assesses and displays the vulnerability status for only one combination of (unique machine instance, software package, package version, CVE vulnerability ID). This means that if there are many fixed versions, Lacework must determine which one is the most appropriate for the given package version.
The following content describes the process that Lacework uses to determine which version to assess and display vulnerability status for when handling multiple fixed parallel versions.
If there are multiple fixed package versions, Lacework selects only one fixed version to assess against each installed version because there will be one fixed version out of many that is the most appropriate for comparison.
After scoring two criteria, Lacework chooses the highest scoring candidate. The two criteria are (in this order of priority):
- Longest version prefix match (v2. installed versions are compared against v2. instead of v1.* -> prefix match v2.). If no major version matches, Lacework selects the highest fixed version.
- Highest fixed version
Users of pre-v3.41 Lacework versions may notice a decrease in the number of vulnerabilities compared to the current version due to changes in Lacework detection logic. The lower number is the result of vulnerabilities’ showing as fixed though no corrective action was performed.