github
Package vs module for go advisories
Hello, I noticed that for some go vulnerabilities, the vulnerability references a go package, and not a go module.
For example, GHSA-pmw9-567p-68pc references the package github.com/cloudflare/cfrpki/cmd/octorpki, while the associated go module is github.com/cloudflare/cfrpki.
Note that some advisories reference both package and module, such as https://github.com/advisories/GHSA-74fp-r6jw-h4mp.
This is a bit troublesome, as go.mod files reference modules, so we need to find the module that contains a package
in order to know if a module is vulnerable.
Moreover, if a vulnerability references a package (inside a module), it is possible for the package to be later shadowed
by a module of the same name. In this case, the vulnerability would reference the wrong module.
From basic queries on the proxy.golang.org, it seems that about 20% of go packages referenced in (reviewed) advisories reference a non-existing module (which is most likely a package inside a module). This concerns 1010 advisories in total.
Do you think this is an issue that should be acted upon ?
This is indeed an issue. Any comment from maintainers/github forthcoming?
