POST /v1/query - returns wrong results for probably malformed purl (helmv3)

[idangur-cglx]

Describe the bug
When using the API I am getting all of the vulnerabilities that ever existed for helmv3 for the following purl:
pkg:golang/helm.sh/helm/v3@v0.0.0-20251112130104-8766e718a011 (v3.19.2 / latest)
that purl was fetched from an SBOM generated by Syft and there is no alias with the proper version, when using the purl:
pkg:golang/helm.sh/helm/v3@v3.19.2
it returns no vulnerabilities as expected

To Reproduce
Steps to reproduce the behavior:

1. POST /v1/query - data: {"package": {"purl": "pkg:golang/helm.sh/helm/v3@v0.0.0-20251112130104-8766e718a011"}}
2. See results returned
3. POST /v1/query - data: {"package": {"purl": "pkg:golang/helm.sh/helm/v3@v3.19.2"}}
4. No vulnerabilities

Expected behavior
To receive no vulnerabilities when querying this or a malformed version instead of all of them

[michaelkedar]

Hi,
That is an invalid go version for that package (it's curious that Syft produces it):

$ go get helm.sh/helm/v3@v0.0.0-20251112130104-8766e718a011
go: helm.sh/helm/v3@v0.0.0-20251112130104-8766e718a011: invalid version: module path includes a major version suffix, so major version must match

but the issue would still exist if using helm.sh/helm/v3@v3.0.0-20251112130104-8766e718a011, which go does install (even though that commit maps exactly to 3.19.2).

The problem is all the records list introduced: 0, indicating that every version before the fixed version should be considered affected, and per the semver comparison rules, 3.0.0-xyz < 3.0.0.

I don't think it's feasible for OSV to make the determination of whether versions are generally valid, nor feasible for us to attempt to evaluate psuedoversions to determine their true ordering (and changes the interpretation of SEMVER ranges)

[idangur-cglx]

Hey and thanks for the answer,
So what would be the best course of action here? to open an issue to syft about creating a malformed go version?

Is it not optional to return no vulns for an invalid go version?