Wrong package version detection for Oracle Linux

[visortelle]

I believe 1:3.0.7-25.0.1.el9_3 and 2:3.0.7-25.0.1.ksplice1.el9_3 are the same version.

Same for 2.34-83.0.2.el9_3.12 > 2:2.34-60.0.3.ksplice1.el9_2.7.

There are a few more packages affected by the same issue.

https://hub.docker.com/layers/library/oraclelinux/9-slim/images/sha256-f1bdd3635b56b12302434d86021141aceb1ca51d79457959cc8193922ee206eb?context=repo&tab=vulnerabilities

[cdupuis]

@visortelle thanks for raising this. It does look like something is not working as desired for oracle rpm packages. We’ll look into it and will report back.

[neilprosser]

@visortelle - we've made some amendments to the way we're checking the vulnerable ranges and the image is showing as free of vulnerabilities now.

Thanks again for reporting.

[visortelle]

@neilprosser - thank you for the fix.