I have a system in which 3 java versions are installed. Out of these 3 , 2 are vulnerable. I read in a previous discussion that Qualys detects based on the environmental PATH for java and then elaborating the java -version only. There is no reference to old java in PATH or in any custom defined variable.I would like to know how does Qualys detects vulnerable java version in this case. Will it enumerate the disc as well to check the installed versions ?