vulnfeeds: repo mapping not getting the right commits

[oliverchang]

Looking at

osv.dev/vulnfeeds/git/repository_test.go

Line 78 in bf67aaf

{Tag: "aide.0.10.release", Commit: "02961dda0a1f114802e107bad93108c9b9d092ed"},

:

and e.g.

				// https://github.com/aide/aide
				{Tag: "v0.17.4", Commit: "49e8faad5e2ed9ab2de54f6858ee223f918abac4"},
				{Tag: "v0.18", Commit: "8ed48ad5ba180cd3ce30a3c41d42bad3779d9f26"},
				{Tag: "v0.18.1", Commit: "5ee3529c3014b4238231885b1403faa3e1affb5c"},

It looks like we're not actually resolving the right commits

for e.g. "v0.18.1", the commit is not "5ee3529c3014b4238231885b1403faa3e1affb5c".

"5ee3529c3014b4238231885b1403faa3e1affb5c" is instead the SHA1 id of the tag itself. We need instead the dereferenced commit SHA from this.

e.g. if I do

$ git show 5ee3529c3014b4238231885b1403faa3e1affb5c

That will give:

commit de5bb24b9b24df7598161a1ce19dc2ce15afa9c6 (tag: v0.18.1)

We can also get this commit SHA from git ls-remote https://github.com/aide/aide:

5ee3529c3014b4238231885b1403faa3e1affb5c        refs/tags/v0.18.1
de5bb24b9b24df7598161a1ce19dc2ce15afa9c6        refs/tags/v0.18.1^{}
d5499cbd3bf4ce6183f5ae3ce18e6e153e48ac9b        refs/tags/v0.18.2
3d5b18b9e5e1c51533ac01d8acd3499b2f9fcc2e        refs/tags/v0.18.2^{}

By picking the hash with the "^{}" after the "refs/tags/*".

[andrewpollock]

Ah, I think this is the good old lightweight versus annotated tag problem. I'll look into it further.

[andrewpollock]

I spent a bit of time digging around in the entrails of the go-git code, and it doesn't look like remote reference listing code currently supports peeled tags, based on my understanding of things (go-git/go-git#749). I'll wait a few days to see if I get a response, and then I might need to do something icky like shelling out to git ls-remote instead :-(