False positive for Ubuntu ca-certificates package

VT 2022/ubuntu/gb_ubuntu_USN_5473_1.nasl yields this result on a brand new and fully updated Ubuntu 18.04 system:

Vulnerable package: ca-certificates
Installed version: 20211016ubuntu0.18.04.1
Fixed version: 20211016~18.04.1

20211016~18.04.1 is the version number for the ca-certificates source code release; 20211016ubuntu0.18.04.1 is the binary version delivered by the apt system built from that source code release.

The same is true for other versions of Ubuntu, including at least 20.04 and 22.04.

This reference is included in the VT report:


Following the links starting from this page eventually lead to pages that demonstrate this naming scheme.

This has been solved last week in notus-scanner (it is unrelated to any VT) via the linked PR below which is currently awaiting to be integrated / published in the next version of notus-scanner.