I am using notus-scanner v22.4.1 and noticed that I am getting alot of false positive after enabling this for my GVM scans. A rock solid example would be libxml2 that popped on all my nodes that has this installed;

USN-4991-1
Vulnerable package: libxml2
Installed version:  libxml2-2.9.14+dfsg-0+ubuntu20.04.1+deb.sury.org+1
Fixed version:      libxml2-2.9.10+dfsg-5ubuntu0.20.04.1

Another that popped up in my lists are dpkg:

USN-5446-1
Vulnerable package: dpkg
Installed version:  dpkg-dev-1.19.7ubuntu3.2
Fixed version:      dpkg-1.19.7ubuntu3.2

Since the release of v22.4.1 some improvements for package parsing / comparison has been included in the stable branch but which are not released in a new version of notus-scanner yet. Namely:

• #295
• #293

Fixed with 22.4.2 release.