VulnerableCode returns no findings for Go packages

[wkl3nk]

Describe the bug

I am scanning a project with ModGo ORT package manager. One dependency is quic-go, release 0.40.0 , which definitely has vulnerability findings in the VulnerableCode database. Unfortunately, no security vulnerabilites are found in the Advisor phase, using VulnerableCode.

Detailed analysis

ORT uses a "bulk search", sending a POST request to the VulnerableCode API. This request has a list of Package URLs (purls) of the dependencies like quick-go. The purl for quick-go looks as follows: pkg:golang/github.com%2Fquic-go%[email protected]

So, at some places we see the "/", in other places it is percent-encoded to "%2F". I don't want to open discussions if this is valid or not, but there is a point in saying "the / character is used to separate the parts that build up a purl, and for this reason, if a namespace or name of a dependency contain /, then they need to be percent-encoded".

When I (in code) add an additional step that replaces all occcurrences of "%2F" with "/" before I feed it into VulnerableCode, then the VulnerableCode API is happy and returns the expected vulnerability records.

Environment

ORT 34.0.0

Additional context

I will prepare a PR to deal with the issue in a pragmatic way. Stay tuned.