[phelmig]

Great article. We'll need a better integration of security tracking and handling in our containerized infrastructure soon.

You have to be a little bit careful when it comes to version numbers and matching them to security issues. Most linux distributions for example apply security patches to older releases.

E.g. Ubuntu 14.04LTS comes with Apache 2.4.7-1ubuntu4.4 which one might parse as 2.4.7 which has multiple security issues.

The article references to distribution specific vulnerability ratings so I assume they als matched those versions correctly.

[yoshiotu]

Study co-author here. We did observe that it's essential to be careful about comparing package version numbers on a per-bistro basis, and there are some tricky cases such as the one you pointed out, and rpm epoch numbers as another example. I believe we handled them correctly in the study.