Some GHSAs for Go modules seem to record a "version" that is not a valid version for go modules: - [GHSA-8r25-68wm-jw35](https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-8r25-68wm-jw35/GHSA-8r25-68wm-jw35.json) - [GHSA-9hxg-w7qf-hh93](https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9hxg-w7qf-hh93/GHSA-9hxg-w7qf-hh93.json) - [GHSA-g8xm-p2h4-v6jp](https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-g8xm-p2h4-v6jp/GHSA-g8xm-p2h4-v6jp.json) - [GHSA-h374-mm57-879c](https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-h374-mm57-879c/GHSA-h374-mm57-879c.json) - [GHSA-pxmr-q2x3-9x9m](https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-pxmr-q2x3-9x9m/GHSA-pxmr-q2x3-9x9m.json) Given that Go versions are documented to be SemVer versions, the versions should be validated as SemVer versions. See also: google/osv.dev#5173
Some GHSAs for Go modules seem to record a "version" that is not a valid version for go modules:
Given that Go versions are documented to be SemVer versions, the versions should be validated as SemVer versions.
See also: google/osv.dev#5173