multiple GHSA go packages with invalid semver events #5173
Description
Describe the bug
There are multiple GHSAs with invalid semver events.
To Reproduce
{
for v in GHSA-8r25-68wm-jw35 GHSA-9hxg-w7qf-hh93 GHSA-g8xm-p2h4-v6jp GHSA-h374-mm57-879c GHSA-pxmr-q2x3-9x9m; do
curl -sSfL "https://api.osv.dev/v1/vulns/$v"
done
} | jq -r '
.id as $id |
.affected[] |
.package.purl as $purl |
.ranges[] |
select(.type=="SEMVER") |
.events[] |
to_entries[] |
select(
.value|
test("^0$|^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$")|
not//empty
) |
[$id, $purl, .key, .value] |
@csv'Output
"GHSA-8r25-68wm-jw35","pkg:golang/github.com/0xJacky/Nginx-UI","fixed","2.0.0.beta.9"
"GHSA-9hxg-w7qf-hh93","pkg:golang/gogs.io/gogs","fixed","0.11.82.1218"
"GHSA-g8xm-p2h4-v6jp","pkg:golang/github.com/openshift/assisted-installer","fixed","1.0.25.1"
"GHSA-h374-mm57-879c","pkg:golang/github.com/0xJacky/Nginx-UI","fixed","2.0.0.beta.9"
"GHSA-pxmr-q2x3-9x9m","pkg:golang/github.com/0xJacky/Nginx-UI","fixed","2.0.0.beta.9"
The flagged events are not valid semver strings (they all have trailing dotted portions).
Expected behaviour
SEMVER-type events should have valid semver strings, excepting the special values.