x/pkgsite: vuln does not report fix versions correctly

[rittneje]

https://pkg.go.dev/vuln/GO-2022-0537

This page currently reads as follows:

Package	Affected Versions
math/big	go1.17.13 and earlier, go1.18.0 - go1.18.5

However, the actual CVE says that it was fixed in 1.17.13 and 1.18.5, so those should not be listed as affected versions.

A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.

This is just one example. All the pages under https://pkg.go.dev/vuln that I checked have this mistake.

[jamalc]

I believe this is working as intended in CL 411077 but is nonetheless confusing. CC'ing @julieqiu @jba from the Security team. I can understand go1.18.0 - go1.18.5 not being inclusive of go1.18.5 but go1.17.13 and earlier seems incorrect. Should we rework this description or revert to the table configuration?

[rittneje]

@jamalc It would be far less ambiguous to use standard notation. For example:

< go1.17.13
[go1.18.0, go1.18.5)

or

(-∞, go1.17.13)
[go1.18.0, go1.18.5)

[gopherbot]

Change https://go.dev/cl/427934 mentions this issue: internal/vulns: correctly interpret ranges

[jamalc]

Fixed.