Ubuntu: Security Advisory (USN-6643-1) has been reported on one of my servers but not another with an identical setup. I suspect there may be an additional copy of the package (node-ip) on the one server, but I cannot for the life of me find it. I’m only finding the expected version in the expected place on both servers. Despite both being the same OS version and containing the same application (one is a QA server and the other production), the vulnerability is only being reported on one server (using full and fast scan).
Is there anywhere in the report where I can see where the vulnerable package is being found? Perhaps both servers have the same vulnerability - but then why does the same full and fast scan on the QA server not produce the same results?
Any insight would be appreciated!