As the name of the debian updaters has changed (eg. debian-bullseye-updater, debian/updater/bullseye) we are surfacing vulnerabilities from the both updaters on older installations. This is particularly noticeable when a vulnerability changes (eg. when it is fixed), the matcher finds both the pre-patched definition from debian-bullseye-updater (0:0 fixed version) and the patched definition from debian/updater/bullseye (see attached screenshot).

The old style updater will not be GCed as no more update operations are happening to expire the old update operations.

We will probably need a DB migration to delete these legacy update operations (and their subsequent vulns).