github
Advisory GHSA-hcg3-q754-cr77 has incorrect package listed
Advisory GHSA-hcg3-q754-cr77 lists golang.org/x/crypto affected, while in fact affected component is https://pkg.go.dev/golang.org/x/crypto/ssh as correctly reported at https://pkg.go.dev/vuln/GO-2025-3487
So advisory should be updated to correctly report affected package
Hi @aburmash
Thank you for the interest in improving the advisory database. We use the golang.org/x/crypto module name rather than the golang.org/x/crypto/ssh package name for the advisory because the dependency graph only maps Go modules, not Go packages.
Thanks, i supposed that, but was worth a try. Still this is going to cause misreports for people using GHSA as a source of truth, as a lot of golang stuff uses crypto, but not crypto/ssh. But i fully understand the GHSA advisory logic now.
Thanks for the feedback @aburmash, we recognize that listing the module rather than just the specific subpackage (e.g., golang.org/x/crypto/ssh) may result in broader alerts. This approach is necessary to ensure that all potentially affected users are notified and can evaluate their own usage. Where possible, we strive to be as accurate and granular as ecosystem data allows, and we continually review advisories for opportunities to improve precision. We appreciate feedback like yours, as it helps us refine our processes.
For more information on managing Dependabot alerts, including how to dismiss alerts that may not apply to your usage, please see GitHub Docs on alert dismissal.
Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!