[14:52] <luis220413> I found another CVE OVAL false positive: CVE-2022-30594 was marked as fixed for the linux source package in Focal on May 24 (UTC) in the Ubuntu CVE Tracker, but my Ubuntu system (that only has that kernel) is marked as vulnerable.
[14:53] <luis220413> s/my Ubuntu system/one of my Ubuntu systems/
[14:56] <luis220413> Same for CVE-2022-29968, that was marked as not vulnerable
[14:57] <luis220413> Marked on May 6 (UTC), and my analysis was on July 19 (UTC).
[14:58] <luis220413> s/analysis/scan/
[18:33] <luis220413> More false positives with the same kernel on the same Ubuntu release: CVE-2022-29582 (not vulnerable), CVE-2022-29581 (released)
[18:35] <luis220413> Marked on May 4 and May 24, respectively
[18:49] <JanC> luis220413: I don't know how you scan for vulnerabilities, but some vulnerability scanning software only looks at version numbers, and not at patches...   :-/
[18:50] <luis220413> JanC: I am using OpenSCAP with Canonical's CVE OVAL.