I upgraded to 10.4 on my non-prod servers and had them scanned. The scan showed Oracle JRE files left over from older Spectrum versions, e.g.:

On the SS servers we are getting the following:

The following vulnerable instances of Java are installed on the
remote host :

Path : /opt/CA/spectrum/Java/
Installed version : 1.8.0_172
Fixed version : 1.7.0_241 / 1.8.0_231 / 1.11.0_5 / 1.13.0_1

Path : /opt/CA/spectrum/Java/
Installed version : 1.8.0_172
Fixed version : 1.7.0_241 / 1.8.0_231 / 1.11.0_5 / 1.13.0_1

These files are not present in a fresh install of Spectrum 10.4.x

Why is this happening, even though Spectrum 10 uses AdoptOpenJDK JRE rather than Oracle Java?

Release : 10.4

Component : Spectrum Core / SpectroSERVER

During an upgrade, the old jre does not get removed.  The old JDK will be upgraded on install.