I'm trying to parse Debian OVAL feeds to establish if some packages are vulnerable or not. I'm using criterions to establish what's the vulnerable version for a package, however often there are entries saying that "version is earlier than 0", e.g.
<criteria comment="Release section" operator="AND">
<criterion comment="Debian 8 is installed" test_ref="oval:org.debian.oval:tst:1"/>
<criteria comment="Architecture section" operator="OR">
<criteria comment="Architecture independent section" operator="AND">
<criterion comment="all architecture" test_ref="oval:org.debian.oval:tst:2"/>
<criterion comment="glibc DPKG is earlier than 0" test_ref="oval:org.debian.oval:tst:21106"/>
</criteria>
</criteria>
</criteria>
I assumed that this means the package is still vulnerable, but I find some discrepancies with the security tracker. For instance both CVE-1999-1580 and CVE-2019-1010022 are listed with less than zero version in the Jessie OVAL feed, while one is listed as "vulnerable" and the other as "fixed" for Jessie in the security tracker.
How should these be handled? As vulnerable or not? If they should be handled as vulnerable does that mean that the feed is outdated when compared to the tracker?