Open julieqiu opened 2 years ago
One of the common sources of false positive reports is that a vulnerability is found in a Go module but is not importable. We could detect for this by checking the imported by count on pkg.go.dev.
For example, in the case of https://github.com/golang/vulndb/issues/353, https://pkg.go.dev/github.com/go-gitea/gitea?tab=importedby shows 0 importers.
As a starting point, it would be helpful to add a link to pkg.go.dev/?tab=importedby in the automated issue.
Change https://go.dev/cl/402394 mentions this issue: x/vulndb: add link to importers of a package in new automated issues
x/vulndb: add link to importers of a package in new automated issues
One of the common sources of false positive reports is that a vulnerability is found in a Go module but is not importable. We could detect for this by checking the imported by count on pkg.go.dev.
For example, in the case of https://github.com/golang/vulndb/issues/353, https://pkg.go.dev/github.com/go-gitea/gitea?tab=importedby shows 0 importers.
As a starting point, it would be helpful to add a link to pkg.go.dev/?tab=importedby in the automated issue.