x/vulndb: potential Go vuln in go.etcd.io/etcd

[jba]

Now used to track GO-2020-0005.

---

old description:

The DB is constructed assuming that package import paths are unique. But it's possible to have two different packages with the same import path, even at the same version. Example:

https://pkg.go.dev/github.com/hashicorp/vault@v1.0.1/api
https://pkg.go.dev/github.com/hashicorp/vault/api@v1.0.1

[pombredanne]

@jba what should be the "canonical" form? ... It would be important to get these right in https://github.com/package-url

[jba]

In pkg.go.dev we use the form you see above, where the version attaches to the module path. That is Go-specific, though.

[julieqiu]

Moved to the Go issue tracker: golang/go#50005.

The x/vulndb issue tracker is currently only meant for use by the Go security team for tracking CVEs that should be included in the Go vulnerability database.

[gopherbot]

Change https://go.dev/cl/444759 mentions this issue: data/reports: add aliases and vulnerable_at for GO-2020-0005.yaml