Different behaviour of vulnerable code and govulncheck

[mkurzman]

Hi, I tried to reproduce the tutorial case from https://go.dev/doc/tutorial/govulncheck with golang.org/x/[email protected] but did not get a hit in VulnerableCode, even if I tried some variations to create the PURL as described in https://github.com/aboutcode-org/vulnerablecode/issues/749

On the other side, if I search by the CVE https://public.vulnerablecode.io/vulnerabilities/VCID-h89x-2eq9-aaar?search=CVE-2021-38561 the component is listed. So VulnerableCode seems to have the information but for me it is unclear how I can access it using the PURL or at least fragments of the package name. Is there a way to search by "golang.org/x/text" to get "approximate" findings?

What would you recommend to reproduce the above mentioned tutorial with VulnerableCode?