hamba · nrwiersma · May 18, 2026 · May 18, 2026 · May 18, 2026
diff --git a/govulncheck/parse.go b/govulncheck/parse.go
@@ -7,7 +7,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"strings"
 
 	"golang.org/x/mod/semver"
 )
@@ -47,8 +46,7 @@ type Fix struct {
 // Parse reads govulncheck -json output from r and returns a map of module path
 // to Fix. Only finding messages are considered; modules whose vulnerable
 // symbols are never called are not included. The Fix.Version field uses the
-// module's native version prefix: "v1.2.3" for regular modules, "go1.x.y"
-// for stdlib and toolchain.
+// module's native version prefix: "v1.2.3".
 func Parse(r io.Reader) (map[string]Fix, error) {
 	dec := json.NewDecoder(r)
 
@@ -76,7 +74,7 @@ func Parse(r io.Reader) (map[string]Fix, error) {
 		ver := msg.Finding.FixedVersion
 
 		f := fixes[mod]
-		if f.Version == "" || semver.Compare("v"+normalizeVersion(ver), "v"+normalizeVersion(f.Version)) > 0 {
+		if f.Version == "" || semver.Compare(ver, f.Version) > 0 {
 			f.Version = ver
 		}
 
@@ -108,12 +106,6 @@ func hasOSV(osvs []OSV, id string) bool {
 	return false
 }
 
-func normalizeVersion(v string) string {
-	v = strings.TrimPrefix(v, "v")
-	v = strings.TrimPrefix(v, "go")
-	return v
-}
-
 // These types mirror the internal message protocol of golang.org/x/vuln,
 // which is not importable externally.
 

diff --git a/govulncheck/parse_test.go b/govulncheck/parse_test.go
@@ -26,13 +26,13 @@ func TestParse_ParsesFixes(t *testing.T) {
 			name:    "stdlib vulnerability",
 			file:    "testdata/stdlib.json",
 			wantMod: "stdlib",
-			wantVer: "go1.22.3",
+			wantVer: "v1.22.3",
 		},
 		{
 			name:    "toolchain vulnerability",
 			file:    "testdata/toolchain.json",
 			wantMod: "toolchain",
-			wantVer: "go1.23.0",
+			wantVer: "v1.23.0",
 		},
 		{
 			name:    "multiple vulnerabilities picks highest fixed version per module",

diff --git a/govulncheck/testdata/stdlib.json b/govulncheck/testdata/stdlib.json
@@ -1,4 +1,4 @@
 {"config":{"protocol_version":"v1.0.0","scanner_name":"govulncheck","scanner_version":"v1.3.0","db":"https://vuln.go.dev","scan_level":"symbol","scan_mode":"source"}}
 {"osv":{"id":"GO-2024-0002","aliases":["CVE-2024-99999"],"summary":"HTTP/2 server memory exhaustion in stdlib","references":[{"type":"ADVISORY","url":"https://pkg.go.dev/vuln/GO-2024-0002"},{"type":"WEB","url":"https://www.cve.org/CVERecord?id=CVE-2024-99999"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.22.3"}]}]}]}}
-{"finding":{"osv":"GO-2024-0002","fixed_version":"go1.22.3","trace":[{"module":"stdlib","version":"go1.21.0"}]}}
+{"finding":{"osv":"GO-2024-0002","fixed_version":"v1.22.3","trace":[{"module":"stdlib","version":"v1.21.0"}]}}
 
diff --git a/govulncheck/testdata/toolchain.json b/govulncheck/testdata/toolchain.json
@@ -1,4 +1,4 @@
 {"config":{"protocol_version":"v1.0.0","scanner_name":"govulncheck","scanner_version":"v1.3.0","db":"https://vuln.go.dev","scan_level":"symbol","scan_mode":"source"}}
 {"osv":{"id":"GO-2024-0003","aliases":["CVE-2024-88888"],"summary":"Toolchain build cache poisoning","references":[{"type":"ADVISORY","url":"https://pkg.go.dev/vuln/GO-2024-0003"}],"affected":[{"package":{"name":"toolchain","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.23.0"}]}]}]}}
-{"finding":{"osv":"GO-2024-0003","fixed_version":"go1.23.0","trace":[{"module":"toolchain","version":"go1.22.0"}]}}
+{"finding":{"osv":"GO-2024-0003","fixed_version":"v1.23.0","trace":[{"module":"toolchain","version":"go1.22.0"}]}}
 
diff --git a/modfix/apply.go b/modfix/apply.go
@@ -8,6 +8,8 @@ import (
 	"os"
 	"os/exec"
 	"strings"
+
+	"github.com/hamba/vulnfix/govulncheck"
 )
 
 // Apply upgrades the modules in fixes to their fixed versions in dir.
@@ -28,12 +30,12 @@ func Apply(ctx context.Context, dir string, fixes map[string]string) error {
 
 func moduleArg(mod, ver string) string {
 	switch mod {
-	case "stdlib":
+	case govulncheck.GoStdModulePath:
 		// ver is "go1.22.3"; "go get go@1.22.3" updates the go directive in go.mod.
-		return "go@" + strings.TrimPrefix(ver, "go")
-	case "toolchain":
+		return "go@" + strings.TrimPrefix(ver, "v")
+	case govulncheck.GoToolchainPath:
 		// ver is "go1.23.0"; "go get toolchain@go1.23.0" updates the toolchain directive.
-		return "toolchain@" + ver
+		return "toolchain@go" + strings.TrimPrefix(ver, "v")
 	default:
 		return mod + "@" + ver
 	}

diff --git a/modfix/apply_test.go b/modfix/apply_test.go
@@ -21,8 +21,8 @@ func TestApply(t *testing.T) {
 	copyDir(t, "testdata/apply", tmpDir)
 
 	fixes := map[string]string{
-		"stdlib":           "go1.22.3",
-		"toolchain":        "go1.23.0",
+		"stdlib":           "v1.22.3",
+		"toolchain":        "v1.23.0",
 		"golang.org/x/mod": "v0.8.0",
 	}