Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Go modules with version v0.0.0-xxx incorrectly marked by go_updater as not vulnerable in security updates #11420

Open
1 task done
ByAgenT opened this issue Jan 27, 2025 · 0 comments
Open
1 task done

Go modules with version v0.0.0-xxx incorrectly marked by go_updater as not vulnerable in security updates #11420

ByAgenT opened this issue Jan 27, 2025 · 0 comments
Labels
L: go:modules Golang modules T: bug 🐞 Something isn't working

Comments

@ByAgenT
Copy link
Contributor

ByAgenT commented Jan 27, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

go_modules

Package manager version

go1.20.10

Language version

go1.11

Manifest location and content before the Dependabot update

go.mod

module issue_repro_example

require (
	golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e
)

go 1.11

dependabot.yml content

No response

Updated dependency

golang.org/x/net from v0.0.0-20190108225652-1e06a53dbb7e to v0.1.0

What you expected to see, versus what you actually saw

Expected: Dependabot should create Pull Request that upgrades dependency to version v0.1.0

Actual: Dependabot returns security_update_not_needed error claiming that dependency with version v0.0.0-20190108225652-1e06a53dbb7e is no longer vulnerable.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

module issue_repro_example

require (
	golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e
)

go 1.11

Dependabot Job yaml example for reproduction (security advisory based on GHSA-39qc-96h7-956f):

job:
    dependencies:
        - golang.org/x/net
    security-advisories:
        - dependency-name: golang.org/x/net
          affected-versions:
            - '>= 0, < 0.0.0-20190813141303-74dc4d7220e7'
    existing-pull-requests: []
    security-updates-only: true
    source:
      directory: /
      provider: github
      repo: ByAgenT/dependabot_go_modules
      branch: main
    package-manager: go_modules
@ByAgenT ByAgenT added the T: bug 🐞 Something isn't working label Jan 27, 2025
@github-actions github-actions bot added the L: go:modules Golang modules label Jan 27, 2025
@ByAgenT ByAgenT mentioned this issue Jan 27, 2025
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
L: go:modules Golang modules T: bug 🐞 Something isn't working
Projects
Dependabot
Status: No status
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Change DefaultRequirement in go_modules dependabot/dependabot-core
1 participant
@ByAgenT