Skip to content
This repository has been archived by the owner on Jan 19, 2023. It is now read-only.

Incorrect golang version handling #129

Closed
patryk4815 opened this issue Dec 2, 2020 · 5 comments
Closed

Incorrect golang version handling #129

patryk4815 opened this issue Dec 2, 2020 · 5 comments
Labels
bug Something isn't working

Comments

@patryk4815
Copy link

patryk4815 commented Dec 2, 2020
edited
Loading

Vulnerability URL
Provide the URL to the OSS Index vulnerability. eg:

https://ossindex.sonatype.org/component/pkg:golang/github.com/rs/[email protected]
https://ossindex.sonatype.org/component/pkg:golang/github.com/rs/[email protected]
https://ossindex.sonatype.org/vuln/f298776e-a8b6-4b91-8e51-f34b11f4c7bd

https://ossindex.sonatype.org/component/pkg:golang/github.com/hashicorp/consul

Description
What is difference between v1.5.0 and 1.5.0 in golang repos?
@patryk4815 patryk4815 added the bug Something isn't working label Dec 2, 2020
@ndonewar
Copy link
Contributor

ndonewar commented Dec 3, 2020
edited
Loading

Edit: removed incorrect information to prevent any future confusion

@patryk4815
Copy link
Author

@ndonewar Thanks for answer!
I'm using dependabot-core and it looks like they are removing v prefix from version
https://github.com/dependabot/dependabot-core/blob/main/go_modules/lib/dependabot/go_modules/file_parser.rb#L51

BTW, This package should not be vulnerable, it has been fixed in 1.5.0:

https://ossindex.sonatype.org/component/pkg:golang/github.com/rs/[email protected]
https://ossindex.sonatype.org/vuln/f298776e-a8b6-4b91-8e51-f34b11f4c7bd

@ndonewar
Copy link
Contributor

ndonewar commented Dec 8, 2020
edited
Loading

@patryk4815 My apologies, I started digging into this one more and realized I gave you incorrect information (removed above to prevent future confusion). Here's the correct info:

Go components in OSS Index should be referenced without the v in front of the version number. Links with a v are triggering a bug with no-lower-bounds ranges (e.g., less than 1.5.0), which is why your example above (with a v) is showing that it has a vulnerability. Additionally, some (but not all) component pages are incorrectly listing versions with v. Both issues have been filed internally.

As you noted, 1.5.0 should not have the vulnerability, and that is what is shown:
https://ossindex.sonatype.org/component/pkg:golang/github.com/rs/[email protected]

And lower versions (e.g., 1.4.0) should have the vulnerability, and they do:
https://ossindex.sonatype.org/component/pkg:golang/github.com/rs/[email protected]

Sorry for any inconvenience this caused!

@ndonewar
Copy link
Contributor

ndonewar commented Dec 9, 2020

The issue where some Go component pages were incorrectly listing versions with v has now been resolved.

For example, versions here no longer show a v:
https://ossindex.sonatype.org/component/pkg:golang/github.com/rs/cors

@patryk4815
Copy link
Author

If it is fixed we can close ticket :)

@nscuro nscuro mentioned this issue Sep 6, 2021
Merged
@nscuro nscuro mentioned this issue Oct 7, 2021
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ndonewar @patryk4815