Different behaviour of vulnerable code and govulncheck

[mkurzman]

Hi, I tried to reproduce the tutorial case from https://go.dev/doc/tutorial/govulncheck with golang.org/x/text@v0.3.5 but did not get a hit in VulnerableCode, even if I tried some variations to create the PURL as described in #749

On the other side, if I search by the CVE https://public.vulnerablecode.io/vulnerabilities/VCID-h89x-2eq9-aaar?search=CVE-2021-38561 the component is listed.
So VulnerableCode seems to have the information but for me it is unclear how I can access it using the PURL or at least fragments of the package name. Is there a way to search by "golang.org/x/text" to get "approximate" findings?

What would you recommend to reproduce the above mentioned tutorial with VulnerableCode?

[pombredanne]

@mkurzman Thanks for the report. This may not be entirely a bug as we have the code to collect Go vulnerabilities but we have not enabled this as an importer yet.

We should enable this shortly, and we will keep you posted here when this happens.