Granularity of go libraries

[taoxinyi]

Hi team, currently vulnerabilities from go libraries are shown in the go module level. But the actual vulnerability can appear in the subcomponent/subpath/folder level:
example:
In osv vulnerability is from github.com/argoproj/argo-events

• https://osv.dev/vulnerability/GHSA-qpgx-64h2-gc3c

but the description from cve and snyk show it's from github.com/argoproj/argo-events/sensors/artifacts

• https://nvd.nist.gov/vuln/detail/CVE-2022-25856
• https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMARGOPROJARGOEVENTSSENSORSARTIFACTS-2864522

Is there any plan to support this?

[oliverchang]

Sorry for the delayed reply here.

Per https://ossf.github.io/osv-schema/#affectedpackage-field, we do currently only track Go vulns at a module level.

My understanding this is the granularity at which package updates may be done. It doesn't make sense for instance, for someone to update github.com/argoproj/argo-events/sensors/artifacts without updating github.com/argoproj/argo-events.