From 0235df961d09c8ee7daff63bfd34a49f7a82e8b1 Mon Sep 17 00:00:00 2001
From: Kawsar Ahmed Bhuiyan <kawsarahmed21@iut-dhaka.edu>
Date: Thu, 27 Nov 2025 23:44:31 -0500
Subject: [PATCH] Fix false positive for mutable action version tags

Add non_vulnerable_exact_versions field to exclude mutable tags
like 'v4' from vulnerability checks.

- Added non_vulnerable_exact_versions to advisory structure
- Updated matching logic to check exclusions before semver matching
- Added 'v4' to GHSA-cxww-7g56-2vh6 exclusion list

Fixes #245
---
 opa/rego/external/osv.rego                                 | 1 +
 opa/rego/rules/known_vulnerability_in_build_component.rego | 5 ++++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/opa/rego/external/osv.rego b/opa/rego/external/osv.rego
index 375ac0f6..5321f8da 100644
--- a/opa/rego/external/osv.rego
+++ b/opa/rego/external/osv.rego
@@ -273,6 +273,7 @@ advisories = {
 			"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
 		}],
 		"cwe_ids": [],
+		"non_vulnerable_exact_versions": ["v4"],
 		"vulnerable_versions": [],
 		"vulnerable_version_ranges": [">=4,<4.1.7"],
 		"vulnerable_commit_shas": [],
diff --git a/opa/rego/rules/known_vulnerability_in_build_component.rego b/opa/rego/rules/known_vulnerability_in_build_component.rego
index 42202c02..1773262d 100644
--- a/opa/rego/rules/known_vulnerability_in_build_component.rego
+++ b/opa/rego/rules/known_vulnerability_in_build_component.rego
@@ -18,10 +18,13 @@ rule := poutine.rule(rego.metadata.chain())
 step_advisory(step) = advisory if {
 	parts = split(step.uses, "@")
 	action := parts[0]
-	version := trim_left(parts[1], "v")
+	raw_version := parts[1]
+	version := trim_left(raw_version, "v")
 	advisory := advisories[osv_id]
 	advisory.package_name == action
 
+	not raw_version in advisory.non_vulnerable_exact_versions
+
 	regex.match("^[0-9]+(\\.[0-9]+)*?$", version)
 
 	semver.constraint_check(advisory.vulnerable_version_ranges[_], version)