Initialize module and dependencies

vendor/golang.org/x/vuln/internal/semver/affects.go

@@ -0,0 +1,94 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package semver
+
+import (
+	"sort"
+
+	"golang.org/x/vuln/internal/osv"
+)
+
+func Affects(a []osv.Range, v string) bool {
+	if len(a) == 0 {
+		// No ranges implies all versions are affected
+		return true
+	}
+	var semverRangePresent bool
+	for _, r := range a {
+		if r.Type != osv.RangeTypeSemver {
+			continue
+		}
+		semverRangePresent = true
+		if ContainsSemver(r, v) {
+			return true
+		}
+	}
+	// If there were no semver ranges present we
+	// assume that all semvers are affected, similarly
+	// to how to we assume all semvers are affected
+	// if there are no ranges at all.
+	return !semverRangePresent
+}
+
+// ContainsSemver checks if semver version v is in the
+// range encoded by ar. If ar is not a semver range,
+// returns false. A range is interpreted as a left-closed
+// and right-open interval.
+//
+// Assumes that
+//   - exactly one of Introduced or Fixed fields is set
+//   - ranges in ar are not overlapping
+//   - beginning of time is encoded with .Introduced="0"
+//   - no-fix is not an event, as opposed to being an
+//     event where Introduced="" and Fixed=""
+func ContainsSemver(ar osv.Range, v string) bool {
+	if ar.Type != osv.RangeTypeSemver {
+		return false
+	}
+	if len(ar.Events) == 0 {
+		return true
+	}
+
+	// Strip and then add the semver prefix so we can support bare versions,
+	// versions prefixed with 'v', and versions prefixed with 'go'.
+	v = canonicalizeSemverPrefix(v)
+
+	// Sort events by semver versions. Event for beginning
+	// of time, if present, always comes first.
+	sort.SliceStable(ar.Events, func(i, j int) bool {
+		e1 := ar.Events[i]
+		v1 := e1.Introduced
+		if v1 == "0" {
+			// -inf case.
+			return true
+		}
+		if e1.Fixed != "" {
+			v1 = e1.Fixed
+		}
+
+		e2 := ar.Events[j]
+		v2 := e2.Introduced
+		if v2 == "0" {
+			// -inf case.
+			return false
+		}
+		if e2.Fixed != "" {
+			v2 = e2.Fixed
+		}
+
+		return Less(v1, v2)
+	})
+
+	var affected bool
+	for _, e := range ar.Events {
+		if !affected && e.Introduced != "" {
+			affected = e.Introduced == "0" || !Less(v, e.Introduced)
+		} else if affected && e.Fixed != "" {
+			affected = Less(v, e.Fixed)
+		}
+	}
+
+	return affected
+}

vendor/golang.org/x/vuln/internal/semver/fixed.go

@@ -0,0 +1,36 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package semver
+
+import "golang.org/x/vuln/internal/osv"
+
+// NonSupersededFix returns a fixed version from ranges
+// that is not superseded by any other fix or any other
+// introduction of a vulnerability. Returns "" in case
+// there is no such fixed version.
+func NonSupersededFix(ranges []osv.Range) string {
+	var latestFixed string
+	for _, r := range ranges {
+		if r.Type == "SEMVER" {
+			for _, e := range r.Events {
+				fixed := e.Fixed
+				if fixed != "" && Less(latestFixed, fixed) {
+					latestFixed = fixed
+				}
+			}
+
+			// If the vulnerability was re-introduced after the latest fix
+			// we found, there is no latest fix for this range.
+			for _, e := range r.Events {
+				introduced := e.Introduced
+				if introduced != "" && introduced != "0" && Less(latestFixed, introduced) {
+					latestFixed = ""
+					break
+				}
+			}
+		}
+	}
+	return latestFixed
+}

vendor/golang.org/x/vuln/internal/semver/semver.go

@@ -0,0 +1,140 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package semver provides shared utilities for manipulating
+// Go semantic versions.
+package semver
+
+import (
+	"fmt"
+	"regexp"
+	"strings"
+
+	"golang.org/x/mod/semver"
+)
+
+// addSemverPrefix adds a 'v' prefix to s if it isn't already prefixed
+// with 'v' or 'go'. This allows us to easily test go-style SEMVER
+// strings against normal SEMVER strings.
+func addSemverPrefix(s string) string {
+	if !strings.HasPrefix(s, "v") && !strings.HasPrefix(s, "go") {
+		return "v" + s
+	}
+	return s
+}
+
+// removeSemverPrefix removes the 'v' or 'go' prefixes from go-style
+// SEMVER strings, for usage in the public vulnerability format.
+func removeSemverPrefix(s string) string {
+	s = strings.TrimPrefix(s, "v")
+	s = strings.TrimPrefix(s, "go")
+	return s
+}
+
+// canonicalizeSemverPrefix turns a SEMVER string into the canonical
+// representation using the 'v' prefix, as used by the OSV format.
+// Input may be a bare SEMVER ("1.2.3"), Go prefixed SEMVER ("go1.2.3"),
+// or already canonical SEMVER ("v1.2.3").
+func canonicalizeSemverPrefix(s string) string {
+	return addSemverPrefix(removeSemverPrefix(s))
+}
+
+// Less returns whether v1 < v2, where v1 and v2 are
+// semver versions with either a "v", "go" or no prefix.
+func Less(v1, v2 string) bool {
+	return semver.Compare(canonicalizeSemverPrefix(v1), canonicalizeSemverPrefix(v2)) < 0
+}
+
+// Valid returns whether v is valid semver, allowing
+// either a "v", "go" or no prefix.
+func Valid(v string) bool {
+	return semver.IsValid(canonicalizeSemverPrefix(v))
+}
+
+var (
+	// Regexp for matching go tags. The groups are:
+	// 1  the major.minor version
+	// 2  the patch version, or empty if none
+	// 3  the entire prerelease, if present
+	// 4  the prerelease type ("beta" or "rc")
+	// 5  the prerelease number
+	tagRegexp = regexp.MustCompile(`^go(\d+\.\d+)(\.\d+|)((beta|rc|-pre)(\d+))?$`)
+)
+
+// This is a modified copy of pkgsite/internal/stdlib:VersionForTag.
+func GoTagToSemver(tag string) string {
+	if tag == "" {
+		return ""
+	}
+
+	tag = strings.Fields(tag)[0]
+	// Special cases for go1.
+	if tag == "go1" {
+		return "v1.0.0"
+	}
+	if tag == "go1.0" {
+		return ""
+	}
+	m := tagRegexp.FindStringSubmatch(tag)
+	if m == nil {
+		return ""
+	}
+	version := "v" + m[1]
+	if m[2] != "" {
+		version += m[2]
+	} else {
+		version += ".0"
+	}
+	if m[3] != "" {
+		if !strings.HasPrefix(m[4], "-") {
+			version += "-"
+		}
+		version += m[4] + "." + m[5]
+	}
+	return version
+}
+
+// This is a modified copy of pkgsite/internal/stlib:TagForVersion
+func SemverToGoTag(v string) string {
+	// Special case: v1.0.0 => go1.
+	if v == "v1.0.0" {
+		return "go1"
+	}
+
+	goVersion := semver.Canonical(v)
+	prerelease := semver.Prerelease(goVersion)
+	versionWithoutPrerelease := strings.TrimSuffix(goVersion, prerelease)
+	patch := strings.TrimPrefix(versionWithoutPrerelease, semver.MajorMinor(goVersion)+".")
+	if patch == "0" && (semver.Compare(v, "v1.21.0") < 0 || prerelease != "") {
+		// Starting with go1.21.0, the first patch version includes .0.
+		// Prereleases do not include .0 (we don't do prereleases for other patch releases).
+		versionWithoutPrerelease = strings.TrimSuffix(versionWithoutPrerelease, ".0")
+	}
+	goVersion = fmt.Sprintf("go%s", strings.TrimPrefix(versionWithoutPrerelease, "v"))
+	if prerelease != "" {
+		i := finalDigitsIndex(prerelease)
+		if i >= 1 {
+			// Remove the dot.
+			prerelease = prerelease[:i-1] + prerelease[i:]
+		}
+		goVersion += prerelease
+	}
+	return goVersion
+}
+
+// finalDigitsIndex returns the index of the first digit in the sequence of digits ending s.
+// If s doesn't end in digits, it returns -1.
+func finalDigitsIndex(s string) int {
+	// Assume ASCII (since the semver package does anyway).
+	var i int
+	for i = len(s) - 1; i >= 0; i-- {
+		if s[i] < '0' || s[i] > '9' {
+			break
+		}
+	}
+	if i == len(s)-1 {
+		return -1
+	}
+	return i + 1
+}