Advisory GHSA-hcg3-q754-cr77 has incorrect package listed

[aburmash]

Advisory GHSA-hcg3-q754-cr77 lists golang.org/x/crypto affected, while in fact affected component is https://pkg.go.dev/golang.org/x/crypto/ssh as correctly reported at https://pkg.go.dev/vuln/GO-2025-3487

So advisory should be updated to correctly report affected package

[JonathanLEvans]

Hi @aburmash

Thank you for the interest in improving the advisory database. We use the golang.org/x/crypto module name rather than the golang.org/x/crypto/ssh package name for the advisory because the dependency graph only maps Go modules, not Go packages.

[aburmash]

Thanks, i supposed that, but was worth a try. Still this is going to cause misreports for people using GHSA as a source of truth, as a lot of golang stuff uses crypto, but not crypto/ssh. But i fully understand the GHSA advisory logic now.