internal/vulncheck: explicitly exclude devel from affected ranges
For now, "(devel)" should never be matched.
Change-Id: Ia6b001caef1a1faf093b6757f3fb89d27e160bb2
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/598715
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/internal/vulncheck/vulncheck.go b/internal/vulncheck/vulncheck.go
index 5405a71..198fffe 100644
--- a/internal/vulncheck/vulncheck.go
+++ b/internal/vulncheck/vulncheck.go
@@ -150,18 +150,10 @@
if a.Module.Path != module.Path {
continue
}
+ if !affected(modVersion, a) {
+ continue
+ }
- // A module version is affected if
- // - it is included in one of the affected version ranges
- // - and module version is not ""
- if modVersion == "" {
- // Module version of "" means the module version is not available,
- // and so we don't want to spam users with potential false alarms.
- continue
- }
- if !semver.Affects(a.Ranges, modVersion) {
- continue
- }
var filteredImports []osv.Package
for _, p := range a.EcosystemSpecific.Packages {
if matchesPlatform(os, arch, p) {
@@ -196,6 +188,21 @@
return filtered
}
+// affected checks if modVersion is affected by a:
+// - it is included in one of the affected version ranges
+// - and module version is not "" and "(devel)"
+func affected(modVersion string, a osv.Affected) bool {
+ const devel = "(devel)"
+ if modVersion == "" || modVersion == devel {
+ // Module version of "" means the module version is not available
+ // and devel means it is in development stage. Either way, we don't
+ // know the exact version so we don't want to spam users with
+ // potential false alarms.
+ return false
+ }
+ return semver.Affects(a.Ranges, modVersion)
+}
+
func matchesPlatform(os, arch string, e osv.Package) bool {
return matchesPlatformComponent(os, e.GOOS) &&
matchesPlatformComponent(arch, e.GOARCH)
