Package vs module for go advisories

[ArthurBrillant]

Hello,
I noticed that for some go vulnerabilities, the vulnerability references a go package,
and not a go module.

For example, GHSA-pmw9-567p-68pc references the package github.com/cloudflare/cfrpki/cmd/octorpki, while the associated go module is github.com/cloudflare/cfrpki.

Note that some advisories reference both package and module, such as GHSA-74fp-r6jw-h4mp.

This is a bit troublesome, as go.mod files reference modules, so we need to find the module that contains a package
in order to know if a module is vulnerable.
Moreover, if a vulnerability references a package (inside a module), it is possible for the package to be later shadowed
by a module of the same name. In this case, the vulnerability would reference the wrong module.

From basic queries on the proxy.golang.org, it seems that about 20% of go packages referenced in (reviewed) advisories reference a non-existing module (which is most likely a package inside a module). This concerns 1010 advisories in total.

Do you think this is an issue that should be acted upon ?

[sixcolors]

This is indeed an issue. Any comment from maintainers/github forthcoming?