I am trying to comprehend how GitHub Advisory filters vulnerabilities, particularly in the context of Bootstrap 3.3.7. In the National Vulnerability Database (NVD), the following vulnerabilities are reported for Bootstrap 3.3.7:
CVE-2019-8331 CVE-2018-20677 CVE-2018-20676 CVE-2016-10735 CVE-2018-14042 CVE-2018-14040 However, when I look at GitHub Advisory, these vulnerabilities are segregated based on the package manager. For instance, CVE-2019-8331 is reported on NuGet, RubyGems, and npm, but not other vulnerabilities. Similarly, other vulnerabilities are reported only on npm and not on other package managers.
Since all these package managers are presumably building from the same codebase of Bootstrap, I'm curious about the rationale behind GitHub Advisory's filtration of vulnerabilities. Why are certain vulnerabilities reported only for specific package managers and not uniformly across all?
I would appreciate any insights or explanations regarding this discrepancy in the GitHub Advisory Database. Thank you!
