Thank you for the info @Leo and @Ludo, just noticed that it's mentioned in the manual.
One question that wasn't answered yet in your description and the manual is how the linter detects when a package is patched. I assume it looks at the applied patch names see if they contain a CVE code?
