Question: Incorrect Sonatype version reference

[jmdacruz]

Question

Sonatype index is using incorrect versions for recommended fixes (e.g., v18.0.5 instead of v0.18.5): https://ossindex.sonatype.org/vulnerability/CVE-2024-32886?component-type=golang&component-name=vitess.io%2Fvitess&utm_source=nancy-client&utm_medium=integration&utm_content=1.0.41

This means that even when updating to v0.18.5 in a project's go.mod, tools such as nancy will still report the vulnerability. I've sent an email to the sonartype OSS index, pointing to this issue/question.

[deepthi]

Thank you for raising this.
cc @systay @dbussink:
The background to this is that go module versioning doesn't play nice with the way we do our SemVer. So whenever we do a release, we tag it with two versions e.g 18.0.5 and 0.18.5. This allows people to import vitess as a dependency in go.mod using 0.18.5 as the version.

[dbussink]

Fwiw, it looks like Dependabot does handle this correctly and does the correct version inference. I've seen it open correct PRs to update a Vitess dependency to resolve this issue. So not sure really what the expectation here is and if this is more something for Sonatype to handle, or if we need to change what we publish?