x/pkgsite: reports vulnerabilities incorrectly for default branch

[codyoss]

What is the URL of the page with the issue?

https://pkg.go.dev/net/http@master

Screenshot

What did you do?

Go to the link above

What did you expect to see?

Not so many vulnerabilities reported. I believe that most(all?) of these are actually fixed on HEAD. Maybe vulns should only be reported on released versions?

What did you see instead?

A lot of vulnerabilities listed.

[codyoss]

Some of these are maybe valid and just have not had a release yet, I am not sure. But there are for sure some really old ones listed too, example: https://pkg.go.dev/vuln/GO-2022-0761

[findleyr]

CC @julieqiu @jamalc

[jamalc]

I think the solution here is to not show vuln information on stdlib pages at master. These vulns show up because the tag master translates to a psuedoversion (e.g., v0.0.0-20230104211531-bae7d772e800) which is within the vulnerable range according to golang.org/x/vuln/osv.Affects.AffectsSemver.

cc @golang/security

[gopherbot]

Change https://go.dev/cl/460817 mentions this issue: internal/vulns: disable display of vulns for stdlib pages at master