When a vulnerability is discovered in Oracle Mysql, for example you can take CVE-2021-2022, Percona Mysql products are not tagged as impacted.
https://nvd.nist.gov/vuln/detail/CVE-2021-2022
While they are impacted as reported clearly here
As result, the commercial vulnerability scanners do not report Percona Mysql installed versions as impacted and in need of an update. This is critical because many compliance schemas rely on Vulnerability Scanner reports as the source of truth (the same is for internal patching processes)
It is important to highlight that this is not true in the case of any MariaDB vulnerability.
For any MariaDB vulnerability, Percona server is tagged as impacted as you can see in CVE-2021-27928
No idea why there is this difference, and if it is coherent with the code dependency in place.
Any suggestion on how to enable commercial vulnerability scanners to discover Percona Mysql Products vulnerabilities?
Thanks
Marco