False Positives in SUSE 12 SP3 Teradata kernels

[wagde-orca]

What did you do? (required. The issue will be closed when not provided.)

I scanned SUSE 12 SP3 with Teradata kernel installed (4.4.140-96.126.TDC.1) and we get hundreds of CVEs that is resolved in this version like CVE-2016-10905, vuls says that the fix version is 0:4.4.180-94.156.1 (not TDC) although the real fixed version is 4.4.140-96.97.TDC.1 as it appears in the oval file https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.server.12.xml.gz

I verified that the CVE and proper fixed version are in the oval DB
kernel-default,0:4.4.121-92.169.1,5
kernel-default,0:4.4.180-94.156.1,6
kernel-default,0:4.4.140-96.97.TDC.1,6
so the bug is in vuls and how we query the suse oval DB for the kernel-default package.

What did you expect to happen?

i expected not to see this CVE and many other CVEs

What happened instead?

We got 100s of old/fixed/FP cves that are fixed inthe installed kernel-default

I think that for teradata packages (which are mainly kernel related packages) we should check the TDC entries in the DB and not the "regular" ones