And then, it also occurs to me that perhaps I can answer my own question. Taking advantage of three aspects of the ecosystem.
#1) Most open source Go libraries are on GitHub
#2) Many (most?) CVEs for open source projects will include a reference back to the project, and these references can be extracted from the
cvelist project.
#3) GitHub has an API to fetch the language of a GitHub repository.
Putting those three together, it might be possible to filter every CVE entry that has a reference to GitHub, then every GitHub project in that list that is implemented in Go, and turn that into a list of vulnerabilities for packages. Then match on those packages. That might generate a short list of projects that have had vulnerabilities. That far more reasonable list could then be augmented by a small amount of open source labor to annotate with the versions known to be vulnerable, when new items appear.
From a completely different direction, the CVE quality team is looking to add more data to CVE entries. Seems like implementation language + package management name as additional data in the CVE record itself might also help address the issue. That would be generalizable to Java, Javascript. Rust, Python, and Go, for starters.
Before I send that idea in to the quality WG, does anyone here have a better suggestion?
Eric