Seems there is some issue with versions mentioned in advisory https://github.com/advisories/GHSA-hr32-mgpm-qf2f. According to first reference (to nvd)
affected versions are up to 3.14.0 and from 4.5.0 to 4.5.6
It leads to issues like https://github.com/aquasecurity/trivy/issues/1204#issuecomment-913494230
I checked advisories used for scan and figured that this CVE-2020-25633 issue is linked with github advisory.