I am trying to understand how GitHub Advisory filters vulnerabilities, particularly in the context of Bootstrap 3.3.7. In the National Vulnerability Database (NVD), the following vulnerabilities are reported for Bootstrap 3.3.7:
CVE-2019-8331 CVE-2018-20677 CVE-2018-20676 CVE-2016-10735 CVE-2018-14042 CVE-2018-14040
However, when I look at GitHub Advisory, these vulnerabilities are segregated based on the package manager. For instance, CVE-2019-8331 is reported on NuGet, RubyGems, and npm, but not other vulnerabilities. Similarly, other vulnerabilities are reported only on npm and not on other package managers.
Since all these package managers are presumably building from the same codebase of Bootstrap, I'm curious about the rationale behind GitHub Advisory's filtration of vulnerabilities. Are these vulnerabilities applicable on all Boostraps 3.3.7 code base that comes with different package managers?
I would appreciate any insights or explanations regarding this discrepancy in the GitHub Advisory Database.
