Mismatch between source and binary package version numbers

[mssalvatore]

Some binary packages have different version numbers than the associated source package. Since CVEs in Ubuntu are tracked against source packages, some CVEScan results may be incorrect, as dpkg-query -l does not include the source package version.

Instead of using dpkg -l to query the installed packages on the system, the following command could be used to provide more detail, including the source package versions:

dpkg-query -f '${db:Status-Abbrev},${binary:Package},${Version},${source:Package},${Source:Version}\n' -W

After this change, the UCT JSON data should no longer need to include a list of binaries so that binaries can be mapped to source packages. This should significantly decrease the size of those JSON files, improving download times, JSON deserialization, and overall runtime.