I don't know if there's a better way to do this but running ssh-audit against a RHEL server's sshd seems to result in false CVE reporting. For example, my FreeBSD systems, which use OpenSSH 9.6p1, will correctly report all CVEs being fixed because FreeBSD usually imports OpenSSH (though may backport patches when an import is not possible at the time). But RHEL servers, including RHEL 9.2, report CVEs that RH has documented as being fixed. ssh-audit version vulnerability database (versionvulnerabilitydb.py) performs a simple version check, which BTW commercial products such as Tennable also do. False reporting of CVEs makes no sense because Red Hat backports patches to their "ancient" openssh, updating the Red Hat build number in the RPM version number.

I think this gives a false sense of problem when there may not be. I suspect other Linux distros may do the same.

I don't know if it is worth expanding the vulnerability database to include vendor build numbers, not report on CVEs for vendor supplied OpenSSH, or simply provide an option not to report on the CVE. This is a similar problem I see with Tennable's Nessus product. Simple version number checks tell auditors and others that there is a problem when there may not be, and it casts doubt on the validity of the output. I understand the difference but others (auditors) may not.

An option may be to document this.

Just looking for you comment about this one way or another.