internal/report,data/osv: add explanation of non-Go versions

For unreviewed reports with "non_go_versions", add an explanation
that the versions list may not match external advisories to the
"details" section of the OSV.

In the future, this should probably be part of the pkgsite UI, or embedded
in structured OSV field, instead of placed in the OSV details, but it is
causing enough confusion that it seems worth it to clarify this sooner rather
than later.

Change-Id: Id1409182f7fdef37c0a781d6e2ba06b1fc57c080
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/596182
Reviewed-by: Roland Shoemaker <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>

Author: tatianab

data/osv/GO-2024-2428.json

@@ -8,7 +8,7 @@
     "GHSA-fp9f-44c2-cw27"
   ],
   "summary": "Ingress-nginx code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation in k8s.io/ingress-nginx",
-  "details": "Ingress-nginx code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation in k8s.io/ingress-nginx",
+  "details": "Ingress-nginx code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation in k8s.io/ingress-nginx.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: k8s.io/ingress-nginx before v1.9.0.",
   "affected": [
     {
       "package": {

data/osv/GO-2024-2430.json

@@ -8,7 +8,7 @@
     "GHSA-qc6v-g3xw-grmx"
   ],
   "summary": "Authenticated users can crash the CubeFS servers with maliciously crafted requests in github.com/cubefs/cubefs",
-  "details": "Authenticated users can crash the CubeFS servers with maliciously crafted requests in github.com/cubefs/cubefs",
+  "details": "Authenticated users can crash the CubeFS servers with maliciously crafted requests in github.com/cubefs/cubefs.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/cubefs/cubefs before v3.3.1.",
   "affected": [
     {
       "package": {

data/osv/GO-2024-2431.json

@@ -8,7 +8,7 @@
     "GHSA-4248-p65p-hcrm"
   ],
   "summary": "Insecure random string generator used for sensitive data in github.com/cubefs/cubefs",
-  "details": "Insecure random string generator used for sensitive data in github.com/cubefs/cubefs",
+  "details": "Insecure random string generator used for sensitive data in github.com/cubefs/cubefs.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/cubefs/cubefs before v3.3.1.",
   "affected": [
     {
       "package": {

data/osv/GO-2024-2432.json

@@ -8,7 +8,7 @@
     "GHSA-8579-7p32-f398"
   ],
   "summary": "CubeFS timing attack can leak user passwords in github.com/cubefs/cubefs",
-  "details": "CubeFS timing attack can leak user passwords in github.com/cubefs/cubefs",
+  "details": "CubeFS timing attack can leak user passwords in github.com/cubefs/cubefs.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/cubefs/cubefs before v3.3.1.",
   "affected": [
     {
       "package": {

data/osv/GO-2024-2433.json

@@ -8,7 +8,7 @@
     "GHSA-8h2x-gr2c-c275"
   ],
   "summary": "CubeFS leaks magic secret key when starting Blobstore access service in github.com/cubefs/cubefs",
-  "details": "CubeFS leaks magic secret key when starting Blobstore access service in github.com/cubefs/cubefs",
+  "details": "CubeFS leaks magic secret key when starting Blobstore access service in github.com/cubefs/cubefs.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/cubefs/cubefs before v3.3.1.",
   "affected": [
     {
       "package": {

data/osv/GO-2024-2434.json

@@ -8,7 +8,7 @@
     "GHSA-vwch-g97w-hfg2"
   ],
   "summary": "CubeFS leaks users key in logs in github.com/cubefs/cubefs",
-  "details": "CubeFS leaks users key in logs in github.com/cubefs/cubefs",
+  "details": "CubeFS leaks users key in logs in github.com/cubefs/cubefs.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/cubefs/cubefs before v3.3.1.",
   "affected": [
     {
       "package": {

data/osv/GO-2024-2442.json

@@ -7,7 +7,7 @@
     "GHSA-76cc-p55w-63g3"
   ],
   "summary": "Teleport Access List owners can escalate their privileges in github.com/gravitational/teleport",
-  "details": "Teleport Access List owners can escalate their privileges in github.com/gravitational/teleport",
+  "details": "Teleport Access List owners can escalate their privileges in github.com/gravitational/teleport.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/gravitational/teleport from v13.0.0 before v13.4.13, from v14.0.0 before v14.2.4.",
   "affected": [
     {
       "package": {

data/osv/GO-2024-2444.json

@@ -8,7 +8,7 @@
     "GHSA-9w97-9rqx-8v4j"
   ],
   "summary": "Mattermost allows demoted guests to change group names in github.com/mattermost/mattermost-server",
-  "details": "Mattermost allows demoted guests to change group names in github.com/mattermost/mattermost-server",
+  "details": "Mattermost allows demoted guests to change group names in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.7.",
   "affected": [
     {
       "package": {

data/osv/GO-2024-2445.json

@@ -7,7 +7,7 @@
     "GHSA-c9v7-wmwj-vf6x"
   ],
   "summary": "SFTP is possible on the Proxy server for any user with SFTP access in github.com/gravitational/teleport",
-  "details": "SFTP is possible on the Proxy server for any user with SFTP access in github.com/gravitational/teleport",
+  "details": "SFTP is possible on the Proxy server for any user with SFTP access in github.com/gravitational/teleport.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/gravitational/teleport before v12.4.31, from v13.0.0 before v13.4.13, from v14.0.0 before v14.2.4.",
   "affected": [
     {
       "package": {

data/osv/GO-2024-2446.json

@@ -8,7 +8,7 @@
     "GHSA-h3gq-j7p9-x3p4"
   ],
   "summary": "Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server",
-  "details": "Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server",
+  "details": "Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.7.",
   "affected": [
     {
       "package": {