x/vuln/cmd/govulncheck: vulnerability count does not match vulnerability numbering #56177
Labels
FrozenDueToAge
NeedsFix
The path to resolution is known, but the work has not been done.
UX
Issues that involve UXD/UXR input
vulncheck or vulndb
Issues for the x/vuln or x/vulndb repo
Milestone
For some projects, govulncheck will report that X vulnerabilities are found and then proceed to listing them in order with their order number. Sometimes X does not match Y, where Y is the number of the last vulnerability listed. For instance,
X=11
andY=12
below:The issue is that X is the number of unique OSVs detected while Y is the total number of unique <OSV, package path> pairs detected. This can happen since an OSV can define vulnerable symbols for multiple packages.
The most promising solution is to change the numbering mechanism for Y and combine results for the same OSV. For instance, the contents of
Vulnerability #11
andVulnerability #12
can be merged under a singleVulnerability #11
.The text was updated successfully, but these errors were encountered: