x/vulndb: import paths do not uniquely identify packages #50005
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
vulncheck or vulndb
Issues for the x/vuln or x/vulndb repo
Milestone
The DB is constructed assuming that package import paths are unique. But it's possible to have two different packages with the same import path, even at the same version. Example:
https://pkg.go.dev/github.com/hashicorp/vault@v1.0.1/api
https://pkg.go.dev/github.com/hashicorp/vault/api@v1.0.1
Moved from golang/vulndb#5.
The text was updated successfully, but these errors were encountered: