Comment 7 for bug 1834439

I understand one is for source package, and another is for binary package derived from source package. and we used to parse that in our implementation.
BUT the confusion stems from that you gave a version number for the binary package ** object **, in this case,

    linux-image-4.4.0-151-generic

this object represents 'linux' package binaries, and is used in OVAL test
    oval:com.ubuntu.xenial:tst:2019114770000000
to test:
    if "Does the 'linux' package exist and is the version less than '4.4.0-151.178'?"

if you only want to represent the 'linux' package, why are you specifying the version for that binary package though?

in the case of CVE-2019-11477 (oval:com.ubuntu.xenial:def:2019114770000000) Actually in xenial all kernel version lower than 4.4.0-151 is affected. and that comparison target is specified in ** state **:

    <linux-def:dpkginfo_state id="oval:com.ubuntu.xenial:ste:2019114770000000" version="1" comment="The package version is less than '4.4.0-151.178'.">
    <linux-def:evr datatype="debian_evr_string" operation="less than">4.4.0-151.178</linux-def:evr>

what is the point of specifying a version in the ** object **?