internal/vulncheck: explicitly exclude devel from affected ranges

For now, "(devel)" should never be matched.

Change-Id: Ia6b001caef1a1faf093b6757f3fb89d27e160bb2
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/598715
Reviewed-by: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

internal/vulncheck/vulncheck.go

@@ -150,18 +150,10 @@ func affectingVulnerabilities(vulns []*ModVulns, os, arch string) affectingVulns
 				if a.Module.Path != module.Path {
 					continue
 				}
-
-				// A module version is affected if
-				//  - it is included in one of the affected version ranges
-				//  - and module version is not ""
-				if modVersion == "" {
-					// Module version of "" means the module version is not available,
-					// and so we don't want to spam users with potential false alarms.
-					continue
-				}
-				if !semver.Affects(a.Ranges, modVersion) {
+				if !affected(modVersion, a) {
 					continue
 				}
+
 				var filteredImports []osv.Package
 				for _, p := range a.EcosystemSpecific.Packages {
 					if matchesPlatform(os, arch, p) {
@@ -196,6 +188,21 @@ func affectingVulnerabilities(vulns []*ModVulns, os, arch string) affectingVulns
 	return filtered
 }
 
+// affected checks if modVersion is affected by a:
+//   - it is included in one of the affected version ranges
+//   - and module version is not "" and "(devel)"
+func affected(modVersion string, a osv.Affected) bool {
+	const devel = "(devel)"
+	if modVersion == "" || modVersion == devel {
+		// Module version of "" means the module version is not available
+		// and devel means it is in development stage. Either way, we don't
+		// know the exact version so we don't want to spam users with
+		// potential false alarms.
+		return false
+	}
+	return semver.Affects(a.Ranges, modVersion)
+}
+
 func matchesPlatform(os, arch string, e osv.Package) bool {
 	return matchesPlatformComponent(os, e.GOOS) &&
 		matchesPlatformComponent(arch, e.GOARCH)