A response from 2012 states that "The reason why QualysGuard can't report on all the installed java version is because we can't have multiple instances of the same vulnerability for this kind of trusted checks, unlike we can for remote services running on different ports (for instance, multiple http services on different TCP port 80, 443, 8080 etc...)."
Is this still the case? I feel like it is, because I have a Red Hat server with java in /usr/bin/java as well as under /opt but only /usr/bin/java is being reported as EOL, even though the Java under /opt is even older. But maybe Qualys just can't find the other one?
I'd love if someone could confirm. Thanks!