I understand one is for source package, and another is for binary package derived from source package. and we used to parse that in our implementation.
BUT the confusion stems from that you gave a version number for the binary package ** object **, in this case,
linux-image-4.4.0-151-generic
this object represents 'linux' package binaries, and is used in OVAL test
oval:com.ubuntu.xenial:tst:2019114770000000
to test:
if "Does the 'linux' package exist and is the version less than '4.4.0-151.178'?"
if you only want to represent the 'linux' package, why are you specifying the version for that binary package though?
in the case of CVE-2019-11477 (oval:com.ubuntu.xenial:def:2019114770000000) Actually in xenial all kernel version lower than 4.4.0-151 is affected. and that comparison target is specified in ** state **:
<linux-def:dpkginfo_state id="oval:com.ubuntu.xenial:ste:2019114770000000" version="1" comment="The package version is less than '4.4.0-151.178'.">
<linux-def:evr datatype="debian_evr_string" operation="less than">4.4.0-151.178</linux-def:evr>
what is the point of specifying a version in the ** object **?
I understand one is for source package, and another is for binary package derived from source package. and we used to parse that in our implementation.
BUT the confusion stems from that you gave a version number for the binary package ** object **, in this case,
linux- image-4. 4.0-151- generic
this object represents 'linux' package binaries, and is used in OVAL test com.ubuntu. xenial: tst:20191147700 00000
oval:
to test:
if "Does the 'linux' package exist and is the version less than '4.4.0-151.178'?"
if you only want to represent the 'linux' package, why are you specifying the version for that binary package though?
in the case of CVE-2019-11477 (oval:com. ubuntu. xenial: def:20191147700 00000) Actually in xenial all kernel version lower than 4.4.0-151 is affected. and that comparison target is specified in ** state **:
<linux- def:dpkginfo_ state id="oval: com.ubuntu. xenial: ste:20191147700 00000" version="1" comment="The package version is less than '4.4.0-151.178'."> "debian_ evr_string" operation="less than">4. 4.0-151. 178</linux- def:evr>
<linux-def:evr datatype=
what is the point of specifying a version in the ** object **?