Mattermost advisories include server/v8 pseudo-version ranges that cause false positives (Go workspaces)

[esarafianou]

Hello GitHub Advisory Database team,

I'm Eva Sarafianou, leading Product Security for Mattermost.

I'm opening this issue because GitHub Advisories for Mattermost currently include affected versions using Go pseudo-versions for github.com/mattermost/mattermost/server/v8. Unfortunately, this is causing false positives in vulnerability scanners like Trivy and confusion among our customers.

Examples:

• GHSA-9r42-rhw3-2222
• GHSA-fmqf-pmcm-8cx9
• GHSA-x3r8-2hmh-89f5

Why pseudo-versions don't reflect shipped artifacts

Mattermost uses Go module workspaces (go.work) to build our server releases. Our open-source server module (defined here) is compiled together with our Enterprise layer (in a private repository) within a workspace.
In a workspace build, go.mod references to github.com/mattermost/mattermost/server/v8 are overridden by local filesystem sources at build time; the pseudo-versioned module is never actually fetched or used. As a result, the shipped binary corresponds to a specific Mattermost Server release (e.g., 10.11.x, 10.12.x, 11.0.x), not a server/v8@<pseudo-version>.

This means listing server/v8@<pseudo-version> as an affected version doesn't accurately represent what customers receive.

Our request

Going forward, we'd appreciate it if Mattermost advisories could reference Mattermost Server release versions (e.g., 10.11.x, 10.12.x, 11.0.x) rather than server/v8 pseudo-version ranges, since release versions are what customers actually consume and what our own advisories use.
If it's feasible to update the existing advisories linked above as well, that would certainly help reduce ongoing customer confusion, but our primary goal is to align on the right approach for future entries.

Happy to provide more details, as needed.