Hi, the following code marks a patched OS as vulnerable and a vulnerable one as patched.

... 
if (supersedence.Intersect(installedKBs).Any())
{
     vulnerabilities.SetAsVulnerable(name);
}
...

The supersedence stores a list of known KBs for a particular CVE. The installedKBs stores a list of KBs extracted from the target machine. Since we are enumerating for missing KBs, if none of installedKBs is presented in supersedence, the OS is considered as vulnerable. I think the correct one is:

...
if (!supersedence.Intersect(installedKBs).Any())
...

Bests.

I thought i was stupid reading that code while adding a new vulnerability. Checked it and indeed it is doing the opposite as expected.