internal/report: improve version handling

A number of improvements to automatic version handling, including:
    - Split version lists by major version rather than failing if they
    are inconsistent
    - Assume all previous major versions (that exist) are affected
    - Put "non-Go" and "unsupported" version lists in their corresponding
    major version (if it exists)
    - Improve the guessVulnerableAt algorithm by adding consistency checks

Change-Id: I9737dbd7d21848570b8e469804628c0e0a3b0a89
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/594899
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>

Author: tatianab

internal/cve5/testdata/cve/TestToReport/CVE-2023-45141.txtar

@@ -8,9 +8,11 @@ Expected output of TestToReport/CVE-2023-45141.
 id: GO-ID-PENDING
 modules:
     - module: github.com/gofiber/fiber
-      non_go_versions:
-        - fixed: 2.50.0
       vulnerable_at: 1.14.6
+    - module: github.com/gofiber/fiber/v2
+      versions:
+        - fixed: 2.50.0
+      vulnerable_at: 2.49.2
 summary: CSRF Token Validation Vulnerability in fiber in github.com/gofiber/fiber
 description: |-
     Fiber is an express inspired web framework written in Go. A Cross-Site Request

internal/cve5/testdata/cve/TestToReport/CVE-2023-45286.txtar

@@ -7,6 +7,8 @@ Expected output of TestToReport/CVE-2023-45286.
 -- CVE-2023-45286 --
 id: GO-ID-PENDING
 modules:
+    - module: github.com/go-resty/resty
+      vulnerable_at: 1.12.0
     - module: github.com/go-resty/resty/v2
       versions:
         - introduced: 2.10.0

internal/cve5/testdata/cve/TestToReport/CVE-2024-33522.txtar

@@ -24,8 +24,10 @@ modules:
         - fixed: 3.17.4+incompatible
         - introduced: 3.18.0+incompatible
         - fixed: 3.18.2+incompatible
+      non_go_versions:
         - introduced: 3.19.0-1.0
         - fixed: 3.19.0-2.0
+      vulnerable_at: 3.18.2-networking-calico+incompatible
 summary: Privilege escalation in Calico CNI install binary in github.com/projectcalico/calico
 description: |-
     In vulnerable versions of Calico (v3.27.2 and below), Calico Enterprise
@@ -51,8 +53,6 @@ references:
     - report: https://github.com/projectcalico/calico/issues/7981
 notes:
     - fix: 'module merge error: could not merge versions of module github.com/projectcalico/calico: introduced and fixed versions must alternate'
-    - fix: 'github.com/projectcalico/calico: could not add vulnerable_at: 2 versions do not exist: 3.19.0-1.0, 3.19.0-2.0'
-    - lint: 'modules[2] "github.com/projectcalico/calico": 2 versions do not exist: 3.19.0-1.0, 3.19.0-2.0'
 source:
     id: CVE-2024-33522
     created: 1999-01-01T00:00:00Z

internal/cve5/testdata/proxy/TestToReport.json

@@ -23,6 +23,10 @@
 		"body": "module github.com/consensys/gnark\n\ngo 1.19\n\nrequire (\n\tgithub.com/bits-and-blooms/bitset v1.8.0\n\tgithub.com/blang/semver/v4 v4.0.0\n\tgithub.com/consensys/bavard v0.1.13\n\tgithub.com/consensys/gnark-crypto v0.11.2\n\tgithub.com/fxamacker/cbor/v2 v2.5.0\n\tgithub.com/google/go-cmp v0.5.9\n\tgithub.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b\n\tgithub.com/leanovate/gopter v0.2.9\n\tgithub.com/rs/zerolog v1.30.0\n\tgithub.com/stretchr/testify v1.8.4\n\tgolang.org/x/crypto v0.12.0\n\tgolang.org/x/exp v0.0.0-20230817173708-d852ddb80c63\n\tgolang.org/x/sys v0.11.0\n)\n\nrequire (\n\tgithub.com/kr/text v0.2.0 // indirect\n\tgithub.com/rogpeppe/go-internal v1.11.0 // indirect\n)\n\nrequire (\n\tgithub.com/davecgh/go-spew v1.1.1 // indirect\n\tgithub.com/mattn/go-colorable v0.1.13 // indirect\n\tgithub.com/mattn/go-isatty v0.0.19 // indirect\n\tgithub.com/mmcloughlin/addchain v0.4.0 // indirect\n\tgithub.com/pmezard/go-difflib v1.0.0 // indirect\n\tgithub.com/x448/float16 v0.8.4 // indirect\n\tgopkg.in/yaml.v3 v3.0.1 // indirect\n\trsc.io/tmplfunc v0.0.3 // indirect\n)\n",
 		"status_code": 200
 	},
+	"github.com/go-resty/resty/@latest": {
+		"body": "{\"Version\":\"v1.12.0\",\"Time\":\"2019-02-28T07:26:48Z\"}",
+		"status_code": 200
+	},
 	"github.com/go-resty/resty/v2/@latest": {
 		"body": "{\"Version\":\"v2.13.1\",\"Time\":\"2024-05-11T01:40:23Z\",\"Origin\":{\"VCS\":\"git\",\"URL\":\"https://github.com/go-resty/resty\",\"Ref\":\"refs/tags/v2.13.1\",\"Hash\":\"baf7c1219b781803557018eba206ad8fa544941f\"}}",
 		"status_code": 200
@@ -43,8 +47,16 @@
 		"body": "{\"Version\":\"v1.14.6\",\"Time\":\"2020-09-11T18:56:02Z\"}",
 		"status_code": 200
 	},
-	"github.com/gofiber/fiber/@v/list": {
-		"body": "v1.9.0\nv1.0.2\nv1.14.1\nv1.7.0\nv1.13.3\nv1.2.3\nv0.9.3\nv0.7.0\nv0.8.1\nv1.9.6\nv1.13.1\nv1.8.0\nv1.6.0\nv1.4.2\nv1.12.0-alpha\nv1.0.0\nv1.14.0\nv0.8.0\nv1.8.3\nv1.12.0\nv1.4.3\nv0.6.9\nv1.3.3\nv1.14.4\nv1.14.5\nv1.8.2\nv1.12.6\nv1.12.1\nv1.3.1\nv1.5.0\nv1.14.6\nv1.3.4\nv1.7.1\nv1.4.1\nv1.8.31\nv1.14.3\nv1.9.1\nv1.12.3\nv1.10.0\nv0.9.0\nv1.11.0\nv1.4.4\nv1.12.5\nv1.10.2\nv1.9.4\nv1.3.2\nv1.9.3\nv1.4.0\nv0.9.1\nv1.2.0\nv1.13.2\nv1.12.2\nv1.6.1\nv1.12.4\nv1.10.1\nv1.8.32\nv1.8.33\nv1.8.43\nv1.10.5\nv1.0.1-beta\nv1.9.2\nv1.13.0\nv1.9.5\nv1.8.1\nv1.10.3\nv1.14.2\nv1.0.1\nv1.1.0\nv1.11.1\nv1.8.4\nv1.8.41\nv1.8.42\nv1.8.431\n",
+	"github.com/gofiber/fiber/v2/@latest": {
+		"body": "{\"Version\":\"v2.52.4\",\"Time\":\"2024-03-26T21:40:09Z\",\"Origin\":{\"VCS\":\"git\",\"URL\":\"https://github.com/gofiber/fiber\",\"Ref\":\"refs/tags/v2.52.4\",\"Hash\":\"fd811cf84af282db8ec50adedce01a5886d5fd46\"}}",
+		"status_code": 200
+	},
+	"github.com/gofiber/fiber/v2/@v/list": {
+		"body": "v2.38.1\nv2.37.0-rc.1\nv2.3.0\nv2.33.0\nv2.2.0\nv2.37.0\nv2.30.0\nv2.24.0\nv2.6.0\nv2.22.0\nv2.13.0\nv2.42.0\nv2.31.0\nv2.0.2\nv2.27.0\nv2.0.3\nv2.29.0\nv2.2.4\nv2.49.0\nv2.52.2\nv2.1.2\nv2.49.2\nv2.0.4\nv2.34.0-rc.1\nv2.38.0\nv2.52.1\nv2.25.0\nv2.14.0\nv2.2.5\nv2.35.0\nv2.40.1\nv2.20.2\nv2.28.0\nv2.36.0\nv2.19.0\nv2.0.0\nv2.0.5\nv2.51.0\nv2.34.0\nv2.2.1\nv2.1.3\nv2.4.0\nv2.18.0\nv2.52.0\nv2.12.0\nv2.2.2\nv2.7.1\nv2.8.0\nv2.3.2\nv2.46.0\nv2.34.1\nv2.40.0\nv2.4.1\nv2.39.0\nv2.43.0\nv2.23.0\nv2.48.0\nv2.7.0\nv2.15.0\nv2.26.0\nv2.47.0\nv2.41.0\nv2.1.0\nv2.3.3\nv2.0.1\nv2.50.0\nv2.1.4\nv2.10.0\nv2.3.1\nv2.52.4\nv2.11.0\nv2.9.0\nv2.20.1\nv2.32.0\nv2.49.1\nv2.17.0\nv2.1.1\nv2.2.3\nv2.16.0\nv2.52.3\nv2.21.0\nv2.0.6\nv2.5.0\nv2.44.0\nv2.37.1\nv2.20.0\nv2.45.0\n",
+		"status_code": 200
+	},
+	"github.com/gofiber/fiber/v2/@v/v2.50.0.mod": {
+		"body": "module github.com/gofiber/fiber/v2\n\ngo 1.20\n\nrequire (\n\tgithub.com/google/uuid v1.3.1\n\tgithub.com/mattn/go-colorable v0.1.13\n\tgithub.com/mattn/go-isatty v0.0.19\n\tgithub.com/mattn/go-runewidth v0.0.15\n\tgithub.com/tinylib/msgp v1.1.8\n\tgithub.com/valyala/bytebufferpool v1.0.0\n\tgithub.com/valyala/fasthttp v1.50.0\n\tgolang.org/x/sys v0.13.0\n)\n\nrequire (\n\tgithub.com/andybalholm/brotli v1.0.5 // indirect\n\tgithub.com/klauspost/compress v1.16.7 // indirect\n\tgithub.com/philhofer/fwd v1.1.2 // indirect\n\tgithub.com/rivo/uniseg v0.2.0 // indirect\n\tgithub.com/valyala/tcplisten v1.0.0 // indirect\n)\n",
 		"status_code": 200
 	},
 	"github.com/gvalkov/tailon/@latest": {
@@ -87,6 +99,9 @@
 		"body": "module github.com/projectcalico/calico\n",
 		"status_code": 200
 	},
+	"github.com/projectcalico/calico/v19/@latest": {
+		"status_code": 404
+	},
 	"github.com/projectcalico/calico/v3/@latest": {
 		"status_code": 404
 	},

internal/genericosv/testdata/proxy/TestToReport/GHSA-28r2-q6m8-9hpx.json

@@ -11,6 +11,9 @@
 		"body": "module github.com/hashicorp/go-getter\n\nrequire (\n\tcloud.google.com/go v0.45.1\n\tgithub.com/aws/aws-sdk-go v1.15.78\n\tgithub.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d\n\tgithub.com/cheggaaa/pb v1.0.27\n\tgithub.com/davecgh/go-spew v1.1.1 // indirect\n\tgithub.com/fatih/color v1.7.0 // indirect\n\tgithub.com/hashicorp/go-cleanhttp v0.5.2\n\tgithub.com/hashicorp/go-safetemp v1.0.0\n\tgithub.com/hashicorp/go-version v1.1.0\n\tgithub.com/klauspost/compress v1.11.2\n\tgithub.com/mattn/go-colorable v0.0.9 // indirect\n\tgithub.com/mattn/go-isatty v0.0.4 // indirect\n\tgithub.com/mattn/go-runewidth v0.0.4 // indirect\n\tgithub.com/mitchellh/go-homedir v1.0.0\n\tgithub.com/mitchellh/go-testing-interface v1.0.0\n\tgithub.com/pmezard/go-difflib v1.0.0 // indirect\n\tgithub.com/stretchr/testify v1.2.2 // indirect\n\tgithub.com/ulikunitz/xz v0.5.8\n\tgolang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45\n\tgolang.org/x/sys v0.0.0-20220517195934-5e4e11fc645e // indirect\n\tgoogle.golang.org/api v0.9.0\n\tgopkg.in/cheggaaa/pb.v1 v1.0.27 // indirect\n)\n\ngo 1.13\n",
 		"status_code": 200
 	},
+	"github.com/hashicorp/go-getter/gcs/@latest": {
+		"status_code": 404
+	},
 	"github.com/hashicorp/go-getter/gcs/v2/@latest": {
 		"body": "{\"Version\":\"v2.2.2\",\"Time\":\"2024-05-20T18:03:48Z\",\"Origin\":{\"VCS\":\"git\",\"URL\":\"https://github.com/hashicorp/go-getter\",\"Subdir\":\"gcs\",\"Ref\":\"refs/tags/gcs/v2.2.2\",\"Hash\":\"e51bb2079321f75aa76476b0ef7074db4f949396\"}}",
 		"status_code": 200
@@ -23,6 +26,9 @@
 		"body": "module github.com/hashicorp/go-getter/gcs/v2\n\ngo 1.14\n\nreplace github.com/hashicorp/go-getter/v2 =\u003e ../\n\nrequire (\n\tcloud.google.com/go/storage v1.6.0\n\tgithub.com/hashicorp/go-getter/v2 v2.1.0\n\tgoogle.golang.org/api v0.21.0\n)\n",
 		"status_code": 200
 	},
+	"github.com/hashicorp/go-getter/s3/@latest": {
+		"status_code": 404
+	},
 	"github.com/hashicorp/go-getter/s3/v2/@latest": {
 		"body": "{\"Version\":\"v2.2.2\",\"Time\":\"2024-05-20T18:03:48Z\",\"Origin\":{\"VCS\":\"git\",\"URL\":\"https://github.com/hashicorp/go-getter\",\"Subdir\":\"s3\",\"Ref\":\"refs/tags/s3/v2.2.2\",\"Hash\":\"e51bb2079321f75aa76476b0ef7074db4f949396\"}}",
 		"status_code": 200