data/reports: unexclude GO-2024-2539.yaml

This is a previously-excluded binary report used
to demonstrate the usage of the new "non_go_versions" field.

Aliases: CVE-2024-23319, GHSA-4fp6-574p-fc35

For #2539

Change-Id: I06fa51de3e32d78bdc53bf8262e84d92e5af2d95
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/568058
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Damien Neil <[email protected]>

Author: tatianab

data/excluded/GO-2024-2539.yaml

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2539",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-23319",
+    "GHSA-4fp6-574p-fc35"
+  ],
+  "summary": "Cross-site request forgery via logout button in github.com/mattermost/mattermost-plugin-jira",
+  "details": "Cross-site request forgery via logout button in github.com/mattermost/mattermost-plugin-jira",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/mattermost/mattermost-plugin-jira",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.1.2-0.20230830170046-f4cf4c6de017"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/mattermost/mattermost-plugin-jira/server",
+            "symbols": [
+              "Plugin.httpOAuth1aDisconnect",
+              "Plugin.initializeRouter"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23319"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/mattermost/mattermost-plugin-jira/commit/f4cf4c6de017ef6aa4428d393b78f418dd84cd8e"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mattermost.com/security-updates"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2539"
+  }
+}

data/osv/GO-2024-2539.json

@@ -0,0 +1,24 @@
+id: GO-2024-2539
+modules:
+    - module: github.com/mattermost/mattermost-plugin-jira
+      versions:
+        - fixed: 1.1.2-0.20230830170046-f4cf4c6de017
+      non_go_versions:
+        - fixed: 4.0.0-rc2
+      vulnerable_at: 1.1.2-0.20230829214939-57856e474934
+      packages:
+        - package: github.com/mattermost/mattermost-plugin-jira/server
+          symbols:
+            - Plugin.httpOAuth1aDisconnect
+            - Plugin.initializeRouter
+summary: |-
+    Cross-site request forgery via logout button in
+    github.com/mattermost/mattermost-plugin-jira
+cves:
+    - CVE-2024-23319
+ghsas:
+    - GHSA-4fp6-574p-fc35
+references:
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-23319
+    - fix: https://github.com/mattermost/mattermost-plugin-jira/commit/f4cf4c6de017ef6aa4428d393b78f418dd84cd8e
+    - web: https://mattermost.com/security-updates

data/reports/GO-2024-2539.yaml

@@ -103,6 +103,22 @@ A non-Go version range can be used to specify versions used by
 module maintainers that do not conform to [Go's module
 version conventions](https://go.dev/doc/modules/version-numbers).
 
+An example is data/reports/GO-2024-2539.yaml, whose vulnerable versions
+are listed as:
+
+```yaml
+versions:
+  - fixed: 1.1.2-0.20230830170046-f4cf4c6de017
+non_go_versions:
+  - fixed: 4.0.0-rc2
+vulnerable_at: 1.1.2-0.20230829214939-57856e474934
+```
+
+The [GHSA](https://github.com/advisories/GHSA-4fp6-574p-fc35) for this report
+lists a fixed version, `4.0.0-rc2`, which is not known to the module proxy.
+To encode this, we list that version as a "non-Go" version, and put the
+pseudo-version corresponding to the fix commit in the regular `versions` section.
+
 ### `module.vulnerable_at`
 
 type `string`