Description
A vulnerability is identified in one application and an advisory is generated that corresponds to the application and the vulnerability. Different versions of the package might be vulnerable to the same vulnerability and might be provided by different upstreams (say debian, ubuntu, pypi etc) but the source code of the package remains more or less the same.
If some package depends on a vulnerable package, then marking the parent package as vulnerable is not the accepted approach and data sources mentioning them are considered to be Crying Wolf. It is not the job of VulnerableCode to establish the parent-child relationship between packages (perhaps better done via scancode).
VulnerableCode database is hosting affected packages with different names under one vulnerability.
Eg: https://public.vulnerablecode.io/vulnerabilities/VCID-kz2t-1jdd-aaaf?search=CVE-2018-3258
Affected packages are 449 and scrolling down shows lots of different packages.
This looks like a problem caused via the redhat importer.
Related: #1084