internal/{osv,report}: add support for non-Go version ranges
A non-Go version range can be used to specify versions used by
module maintainers that do not conform to Go's module
version conventions (https://go.dev/doc/modules/version-numbers).
For now, these versions are not published in OSV. In the future,
they will likely be published in an ecosystem_specific field
and used for display purposes.
Change-Id: I3fcd13a832fd91bce3dfaccd56e63a06e95410b3
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/568057
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/doc/format.md b/doc/format.md
index a4b797f..33267cf 100644
--- a/doc/format.md
+++ b/doc/format.md
@@ -91,6 +91,18 @@
If this field is omitted, it is assumed that every version since the
`introduced` version is vulnerable.
+### `module.non_go_versions`
+
+type `string`
+
+(Optional - used only in special cases, usually for binary reports.)
+
+The non-Go version range(s) at which the package is vulnerable.
+
+A non-Go version range can be used to specify versions used by
+module maintainers that do not conform to [Go's module
+version conventions](https://go.dev/doc/modules/version-numbers).
+
### `module.vulnerable_at`
type `string`
diff --git a/internal/report/report.go b/internal/report/report.go
index b892497..301f5ed 100644
--- a/internal/report/report.go
+++ b/internal/report/report.go
@@ -39,6 +39,9 @@
type Module struct {
Module string `yaml:",omitempty"`
Versions []VersionRange `yaml:",omitempty"`
+ // Versions that are not known to the module proxy, but
+ // that may be useful to display to humans.
+ NonGoVersions []VersionRange `yaml:"non_go_versions,omitempty"`
// Version types that exist in OSV, but we don't support.
// These may be added when automatically creating a report,
// but must be deleted in order to pass lint checks.