Why do host vulnerability results show two different versions of the same package on a machine? Generally, assessment data is from what currently exists at the time of assessment. In some circumstances, Lacework can carry forward fixed status data to provide information about a previously existing vulnerability that has since been patched/addressed.
Hosts must be online at least once within a 30-day window for vulnerability assessment metrics to carry forward. Carrying forward metrics means Lacework updates the existing assessment report instead of creating a new assessment report. See When Host Assessment Metrics Carry Forward for more details.
How can I fix a host vulnerability detected by an assessment?
apt remove and dpkg --remove
rpm -e PackageName (instead of
yum remove PackageName).
For details, see Fix a Host Vulnerability.
Why doesn’t the host vulnerability assessment identify recently updated packages as “Fixed”?
Package collection runs hourly, however, Lacework does not restrict the assessment to the last hour of collected packages. The last day of packages is considered because that is also the assessment interval - daily. The impact is that if the package existed within 24 hours before the assessment, it appears in the assessment. See When Host Assessments Identify a Vulnerability as Fixed for more details.
What happens when there are multiple fix versions for the same vulnerability?
If there are multiple fixed package versions, Lacework selects only one fixed version to assess against each installed version because there is one fixed version out of many that is the most appropriate for comparison.
By default, Lacework displays the longest version prefix match (for example, v2.* installed versions are compared against v2.* instead of v1.*). If no major version matches, Lacework selects the highest fixed version. See Multiple Fixed Parallel Package Versions for more details.