Go: Supported ecosystem

[hectorj2f]

trafficstars

The current README is confusing in particular the list of supported ecosystems. We got the following comment on a PR mentioning that Go Std lib vulnerabilities are not part of the supported ecosystems.

That is highly confusing if you look at the list of supported ecosystems:

Our supported ecosystems are:

Composer (registry: https://packagist.org/)
Erlang (registry: https://hex.pm/)
GitHub Actions (registry: https://github.com/marketplace?type=actions)
**Go (registry: https://pkg.go.dev/)**

Go is present and the Standard Library is part of that registry https://pkg.go.dev/std too.

Could you be more explicit and mention that the Standard Library is not supported ?

I also have a question, if the Go Std Library is not supported. Why does the Github advisory database accept these vulnerabilities in a first place ?

[helixplant]

Thank you for raising this question and for highlighting the ambiguity around Go's standard library in our supported ecosystems list in this issue, https://github.com/github/advisory-database/pull/5761, and https://github.com/github/advisory-database/pull/5760.

To clarify: while the Go standard library is technically listed on pkg.go.dev (e.g., https://pkg.go.dev/std), it is not published as a standalone package that can be updated independently of the Go toolchain itself. In general, our advisory database focuses on vulnerabilities that affect packages or modules which end users can update directly via their respective registries.

With Go, vulnerabilities in the standard library require users to upgrade the entire Go module (i.e., the Go toolchain), not just a specific package within the standard library. This is why, for our advisory database, we limit scope to modules that are independently updatable by end users. Including vulnerabilities that require upgrading the whole language runtime/toolchain is outside our current scope for supported ecosystems.

We recognize that this distinction can be confusing, especially since the Go registry shows the standard library alongside third-party modules. We appreciate your suggestion and will look into updating our documentation to make it clearer that the Go standard library is not currently included as a supported ecosystem in the advisory database. Thanks again for your feedback and for helping us improve the clarity of our documentation!

[hectorj2f]

@helixplant Thanks for sharing all these details about these new decisions. However I could not find any answer about why Github advisories accepts any vulnerabilities affecting the Go Std Library. I'd assume you shouldn't accept these vulnerabilities in a first place. Is there any special reason to do that ?

[helixplant]

The GitHub Global Advisory Database includes both reviewed and unreviewed advisories in its totality. Before 2022, we only showed advisories from supported ecosystems which was improved upon several years ago where we added the unreviewed section for advisories. Since CVE-2025-4673 and CVE-2025-22874 are recognized by the National Vulnerability Database, they were automatically published to our system rather than being added in error. For more information on our global security advisories, please feel free to check out “About global security advisories”.