internal/genericosv: update tests to avoid racing

Recently, sorting of modules was introduced in ToReport() to produce
deterministic results. It made a practical assumption that if module
affected entries have the same name, their ranges will be different and
start different. But some test files have exactly the same version. It
seems they have different packages, so we extend the sorting based on
package names.

Change-Id: I8972d4fe8c2cc64ab37489bbf4d2a469adb77004
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/530375
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>

internal/genericosv/report.go

@@ -290,7 +290,19 @@ func sortModules(ms []*report.Module) {
 			} else if len(vr2) == 0 {
 				return false
 			}
-			return version.Before(first(vr1), first(vr2))
+
+			v1, v2 := first(vr1), first(vr2)
+			if v1 == v2 {
+				pkgs1, pkgs2 := m1.Packages, m2.Packages
+				if len(pkgs1) == 0 {
+					return true
+				} else if len(pkgs2) == 0 {
+					return false
+				}
+				return pkgs1[0].Package < pkgs2[0].Package
+			}
+
+			return version.Before(v1, v2)
 		}
 		return m1.Module < m2.Module
 	})

internal/genericosv/testdata/yaml/GHSA-w4xh-w33p-4v29.yaml

@@ -3,11 +3,11 @@ modules:
     - module: github.com/git-lfs/git-lfs
       versions:
         - fixed: 2.1.1-0.20170519163204-f913f5f9c7c6
-      packages:
-        - package: github.com/git-lfs/git-lfs/lfsapi
     - module: github.com/git-lfs/git-lfs
       versions:
         - fixed: 2.1.1-0.20170519163204-f913f5f9c7c6
+      packages:
+        - package: github.com/git-lfs/git-lfs/lfsapi
 summary: GitHub Git LFS Improper Input Validation vulnerability
 description: |-
     GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary