Bomber reporting OSV vulnerabilities on package versions that aren't in SBOM

[ppeters0502]

Hello there, We use bomber pretty extensively when reviewing open source packages and other software that are in my company's environment. I was reviewing the open source package eslint downloaded the SPDX SBOM from GitHub and ran a Bomber scan of that SBOM. The Bomber report displayed several vulnerabilities, including 5 Critical vulnerabilities that I started reviewing. One of these vulnerabilities was tied to the dependency eslint-scope, but is specific to version 3.7.2, with a patch deployed in version 3.7.3.

the version of eslint-scope in the SBOM, and listed in the package.json file of this project is 8.0.1 though, and I'm not really sure why this vulnerability still came up for this dependency.

Are package versions checked when bomber gets an OSV or other vulnerability DB result back?