Vulnerable package has score 10/10 in Vulnerabilities

[jorgsowa]

Describe the bug
Package https://github.com/elijaa/phpmemcachedadmin has disclosed a vulnerability https://osv.dev/vulnerability/CVE-2023-6026

However, the OSV scanner doesn't detect it, because it scans dependencies, not the package itself (!). As a result, the scorecard gives it 10/10 points.

Reproduction steps
Steps to reproduce the behavior:

1. Run scorecard --repo=github.com/elijaa/phpmemcachedadmin
2. See 10 / 10 | Vulnerabilities | no vulnerabilities detected

Expected behavior
As the vulnerability is known, the score shouldn't be 10/10.

Additional context

[spencerschrock]

Yeah, I agree we aren't finding vulns in the current project. (See related comment google/osv-scanner#416 (comment))

I was curious if we did anything differently before the use of osv-scanner (#2509), and it seems like the answer is no

Currently the vulnerability check only checks if the HEAD commit hash has any vulnerability specified in OSV.dev

The commit hash check is still being done