From 316c0e9a1105cf2b5ae912d6cc0e29018511a579 Mon Sep 17 00:00:00 2001
From: Dan Luhring <luhring@users.noreply.github.com>
Date: Thu, 30 May 2024 13:59:00 -0400
Subject: [PATCH] fix: main mod pseudo version default off (#1894)

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
---
 README.md                      | 3 ++-
 cmd/grype/cli/options/match.go | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 8d39ec6b9ff..bb69b6aba18 100644
--- a/README.md
+++ b/README.md
@@ -855,7 +855,8 @@ match:
     using-cpes: false
     # even if CPE matching is disabled, make an exception when scanning for "stdlib".
     always-use-cpe-for-stdlib: true
-    allow-main-module-pseudo-version-comparison: true
+    # allow main module pseudo versions, which may have only been "guessed at" by Syft, to be used in vulnerability matching
+    allow-main-module-pseudo-version-comparison: false
   stock:
     using-cpes: true
 ```
diff --git a/cmd/grype/cli/options/match.go b/cmd/grype/cli/options/match.go
index fe71e6f4a04..f789a5b4689 100644
--- a/cmd/grype/cli/options/match.go
+++ b/cmd/grype/cli/options/match.go
@@ -34,7 +34,7 @@ func defaultGolangConfig() golangConfig {
 			UseCPEs: false,
 		},
 		AlwaysUseCPEForStdlib:                  true,
-		AllowMainModulePseudoVersionComparison: true,
+		AllowMainModulePseudoVersionComparison: false,
 	}
 }