Go module pseudo-version false positives #1754
Description
👋 Hello!
We have observed a recurring false positive issue when go.mod files utilize pseudo-versions.
Additional Context
This looks like it was brought up previously in #491 and #910 but were seemingly unresolved. Additionally, it seems that Dependabot doesn't really support this either: dependabot/dependabot-core#2028 🤷
Problem
Go pseudo-versions introduce challenges in vulnerability management workflows. These versions can create confusion for engineers when triaging results, leading to inefficiencies stemmed from false positives, and potential misinterpretations of vulnerability data.
Example
GHSA-5jp2-vwrj-99rf is reported in github.com/concourse/concourse@v1.6.1-0.20230608160752-b14acb611a79:
╭─────────────────────────────────────┬──────┬───────────┬────────────────────────────────┬─────────────────────────────────────┬────────╮
│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │
├─────────────────────────────────────┼──────┼───────────┼────────────────────────────────┼─────────────────────────────────────┼────────┤
│ https://osv.dev/GHSA-5jp2-vwrj-99rf │ 5.4 │ Go │ github.com/concourse/concourse │ 1.6.1-0.20230608160752-b14acb611a79 │ go.mod │
╰─────────────────────────────────────┴──────┴───────────┴────────────────────────────────┴─────────────────────────────────────┴────────╯However, the pseudo-version is technically higher than the one in the patched versions:
Important
The pseudo version (v1.6.1-0.20230608160752-b14acb611a79) does not correspond to a tag in the same semantic version range, which makes things extra confusing.
https://github.com/concourse/concourse/releases/tag/v1.6.1 👈 This 404s, not a thing; v2.0.0 was published after v1.6.0.
It's this commit (used by the go toolchain):
concourse/concourse@b14acb611a79
Which maps to this released version:
https://github.com/concourse/concourse/releases/tag/v7.10.0
And can be verified with git using:
$ git clone https://github.com/concourse/concourse.git
$ cd concourse
$ git describe --contains b14acb611a79
v7.10.0~11Note
We can identify pseudo-versions using golang.org/x/mod/module.IsPseudoVersion to avoid sending these to the OSV API altogether as an intermediate fix. But, it might be required to use go-git (or equivalent) to inspect the repository's commit history to identify a released tag (if there is even one at all). It's possible that pseudo-versions don't map back to a released version at all (especially prevalent for v0.0.0-* variants).