Problem
IQ Server may suggest a 'Golden Version' that promises:
- No breaking changes
- No policy violations for this component
- No policy violations for its dependencies
However, the suggested version is vulnerable to the same CVE. Why is this a 'Golden Version'?
Possible causes
You'll want to first check the threat levels of policy violations across versions. For example, is the shared CVE a low-threat vulnerability, such that the scanned and 'Golden' versions share a threat violation of 1? If so, then IQ Server is suggesting this newer version due to other subtle improvements.
Solution
Use the 'Compare' button in the Version Explorer to compare and contrast the two versions. You'll most likely see the subtle improvements between the versions. You can use this information to decide whether an upgrade would be appropriate.