Adding GHSA from non ecosystem software

[HannesD1]

Hello,

i currently started working with the Github Adivsory Database to track vulnerabilities for packages which are not part of any Ecosystem. For example when using https://github.com/mcu-tools/mcuboot they track their vulnerabilities using Github. But the recorded GHSA for example GHSA-m59c-q9gq-rh2j are not listed in the Database.
While i understand that per Readme this behavior is intended I do not really understand the reason.
For my understanding GHSA are already checked by the maintainer of the project before they are listed on the Security Page of the respective project. So i do not understand the benefit of not listing those vulnerabilities to the Database.

Is there any chance that such vulnerabilities could be added to this database?

Best regards

[JonathanLEvans]

We greatly appreciate your interest in improving the database, and we agree with the sentiment of your question. Maintainer-verified advisories like the ones for mcuboot are valuable.

However, practical considerations have stopped us from automatically including all repository-level advisories in the global GitHub Advisory Database. These range from the annoying (e.g., broadcasting test advisories) to the dangerous (e.g., amplifying advisories that point to malware). Because repository advisories can be created by any GitHub user without additional review, we need a curation step before they appear in the global database.

We are looking into alternative solutions, and we appreciate your patience and feedback on this.