internal/report: fix bug with vulnerable_at in Fix

In Fix, when splitting modules by major version, don't delete the vulnerable_at version unless it is no longer valid. Change-Id: Id8192c7d34f3908e4d6ddb4fec41e9c3e2d49b6f Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607915 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
golang · Aug 22, 2024 · a282e8f · a282e8f
1 parent 29f8e5e
commit a282e8f
Showing 1 changed file with 20 additions and 1 deletion.
diff --git a/internal/report/fix.go b/internal/report/fix.go
@@ -456,7 +456,9 @@ func (m *Module) splitByMajor(pc *proxy.Client) (modules []*Module) {
 		mc.Versions = av.standard
 		mc.UnsupportedVersions = av.unsupported
 		mc.NonGoVersions = av.nonGo
-		mc.VulnerableAt = nil // needs to be re-generated
+		if !inVulnerableRange(mc.Versions, mc.VulnerableAt) {
+			mc.VulnerableAt = nil // needs to be re-generated
+		}
 		if mod == v1Mod {
 			addIncompatible(mc, pc)
 		}
@@ -467,6 +469,23 @@ func (m *Module) splitByMajor(pc *proxy.Client) (modules []*Module) {
 	return modules
 }
 
+func inVulnerableRange(vs Versions, v *Version) bool {
+	if v == nil {
+		return false
+	}
+
+	rs, err := vs.ToSemverRanges()
+	if err != nil {
+		return false
+	}
+	affected, err := osvutils.AffectsSemver(rs, v.Version)
+	if err != nil {
+		return false
+	}
+
+	return affected
+}
+
 var transforms = map[string]string{
 	"github.com/mattermost/mattermost/server":    "github.com/mattermost/mattermost-server",
 	"github.com/mattermost/mattermost/server/v5": "github.com/mattermost/mattermost-server/v5",