"GHSA-8r25-68wm-jw35","pkg:golang/github.com/0xJacky/Nginx-UI","fixed","2.0.0.beta.9"
"GHSA-9hxg-w7qf-hh93","pkg:golang/gogs.io/gogs","fixed","0.11.82.1218"
"GHSA-g8xm-p2h4-v6jp","pkg:golang/github.com/openshift/assisted-installer","fixed","1.0.25.1"
"GHSA-h374-mm57-879c","pkg:golang/github.com/0xJacky/Nginx-UI","fixed","2.0.0.beta.9"
"GHSA-pxmr-q2x3-9x9m","pkg:golang/github.com/0xJacky/Nginx-UI","fixed","2.0.0.beta.9"
Describe the bug
There are multiple GHSAs with invalid semver events.
To Reproduce
{ for v in GHSA-8r25-68wm-jw35 GHSA-9hxg-w7qf-hh93 GHSA-g8xm-p2h4-v6jp GHSA-h374-mm57-879c GHSA-pxmr-q2x3-9x9m; do curl -sSfL "https://api.osv.dev/v1/vulns/$v" done } | jq -r ' .id as $id | .affected[] | .package.purl as $purl | .ranges[] | select(.type=="SEMVER") | .events[] | to_entries[] | select( .value| test("^0$|^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$")| not//empty ) | [$id, $purl, .key, .value] | @csv'Output
The flagged events are not valid semver strings (they all have trailing dotted portions).
Expected behaviour
SEMVER-type events should have valid semver strings, excepting the special values.