Description
Hello,
I noticed that for some go vulnerabilities, the vulnerability references a go package,
and not a go module.
For example, GHSA-pmw9-567p-68pc references the package github.com/cloudflare/cfrpki/cmd/octorpki
, while the associated go module is github.com/cloudflare/cfrpki
.
Note that some advisories reference both package and module, such as GHSA-74fp-r6jw-h4mp.
This is a bit troublesome, as go.mod
files reference modules, so we need to find the module that contains a package
in order to know if a module is vulnerable.
Moreover, if a vulnerability references a package (inside a module), it is possible for the package to be later shadowed
by a module of the same name. In this case, the vulnerability would reference the wrong module.
From basic queries on the proxy.golang.org
, it seems that about 20% of go packages referenced in (reviewed) advisories reference a non-existing module (which is most likely a package inside a module). This concerns 1010 advisories in total.
Do you think this is an issue that should be acted upon ?