x/pkgsite: present the package paths in the vulnerability info shown in the versions tab

[hyangah]

https://pkg.go.dev/golang.org/x/text?tab=versions

A module may contain multiple packages. When browsing the module's version history,
the versions tab provides vulnerability info. However, it's hard to figure out whether
a vulnerability affects the entire module, or only a certain package.

For example, GO-2022-1059 affects golang.org/x/text/language, but visible from
pkg.go.dev/golang.org/x/text?tab=versions and it's not obvious that this vulnerability
affects only golang.org/x/text/language.

OTOH, if other packages in the module "transitively" depend on golang.org/x/text/language,
I wonder if they are included in the osv entry.

[findleyr]

Hmm, I'm not sure that this matches the scope of the versions tab. Listing packages may be distracting and/or misleading.

Aside: it would be nice if the vulnerability pages defined what it means for a package or symbol to be affected.

[kleinkk76]

https://pkg.go.dev/golang.org/x/text?tab=versions

A module may contain multiple packages. When browsing the module's version history, the versions tab provides vulnerability info. However, it's hard to figure out whether a vulnerability affects the entire module, or only a certain package.

For example, GO-2022-1059 affects golang.org/x/text/language, but visible from pkg.go.dev/golang.org/x/text?tab=versions and it's not obvious that this vulnerability affects only golang.org/x/text/language.

OTOH, if other packages in the module "transitively" depend on golang.org/x/text/language, I wonder if they are included in the osv entry.
#60579 (comment)