internal/{osv,report}: add support for non-Go version ranges

A non-Go version range can be used to specify versions used by
module maintainers that do not conform to Go's module
version conventions (https://go.dev/doc/modules/version-numbers).

For now, these versions are not published in OSV. In the future,
they will likely be published in an ecosystem_specific field
and used for display purposes.

Change-Id: I3fcd13a832fd91bce3dfaccd56e63a06e95410b3
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/568057
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Damien Neil <[email protected]>

Author: tatianab

doc/format.md

@@ -91,6 +91,18 @@ The version at which the vulnerability was fixed.
 If this field is omitted, it is assumed that every version since the
 `introduced` version is vulnerable.
 
+### `module.non_go_versions`
+
+type `string`
+
+(Optional - used only in special cases, usually for binary reports.)
+
+The non-Go version range(s) at which the package is vulnerable.
+
+A non-Go version range can be used to specify versions used by
+module maintainers that do not conform to [Go's module
+version conventions](https://go.dev/doc/modules/version-numbers).
+
 ### `module.vulnerable_at`
 
 type `string`

internal/report/report.go

@@ -39,6 +39,9 @@ type UnsupportedVersion struct {
 type Module struct {
 	Module   string         `yaml:",omitempty"`
 	Versions []VersionRange `yaml:",omitempty"`
+	// Versions that are not known to the module proxy, but
+	// that may be useful to display to humans.
+	NonGoVersions []VersionRange `yaml:"non_go_versions,omitempty"`
 	// Version types that exist in OSV, but we don't support.
 	// These may be added when automatically creating a report,
 	// but must be deleted in order to pass lint checks.