So I have a CVE, and from that I found the relevant QID.
I run a scan on the QID, and get some results.
However, if the QID covers several CVE's....say 10 for a round number, and 9 are already patched / remediated in our infrastructure (including the CVE I'm interested in)....isn't the scan giving me false data?
How can I tell what actual CVE is not remediated i.e. is it the actual CVE I'm interested in?
Maybe I'm not understanding this correctly so would appreciate some guidance!