False positive about a vulnerable action version number

[johnbillion]

Describe the bug

I'm getting the following error for a workflow that uses actions/download-artifact@v4:

The workflow or action depends on a GitHub Action with known vulnerabilities.

Reading GHSA-cxww-7g56-2vh6 for actions/download-artifact, the description says:

Alternatively use 'v4' tag which points to the latest and secure version.

To Reproduce

1. Create a workflow file that uses actions/download-artifact@v4
2. Run Poutine on the file
3. Observe the above error message

Expected behavior

Using @v4 should be considered "safe" as far as this rule is concerned. Whether or not it should use a pinned sha hash is a separate concern.

Screenshots

[fproulx-boostsecurity]

@johnbillion thanks for the report. Looks like in order to fix this we will need to make improvements to the matching logic. As when we see “v4” we currently expand it to “v4.0.0” which matches in the vulnerable range. I think we will have to have an exclusion mechanism to allow those exact match on mutable tags.

The structure will support something like “non_vulnerable_exact_versions” https://github.com/boostsecurityio/poutine/blob/main/opa/rego/external/osv.rego#L17

We don’t have so much bandwidth to fix in next 2 weeks. If you’d like to contribute a PR we’ll be happy to review. Otherwise hopefully we can get that before Christmas.

Cheers