nancy: Nancy does not work with full semver

• What are you trying to do?

I am trying to resolve a CVE in my go mod:

$  go list -m all | nancy -quiet      
------------------------------------------------------------
[15/26] pkg:golang/github.com/opencontainers/runc@1.0.0-rc9  [Vulnerable]    1 known vulnerabilities affecting installed version

[CVE-2019-5736]  Containment Errors (Container Errors)
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

ID:d089f726-f419-4e72-ab60-05be37d02b68
Details:https://ossindex.sonatype.org/vuln/d089f726-f419-4e72-ab60-05be37d02b68
Audited dependencies: 26, Vulnerable: 1

However, the go.mod and go.sum list 1.0.0-rc9 which is not listed as vulnerable in the index:

module github.com/ory/dockertest/v3

go 1.13

require (
	// ...
	github.com/opencontainers/runc v1.0.0-rc9
	// ...
)

github.com/opencontainers/runc v1.0.0-rc9 h1:/k06BMULKF5hidyoZymkoDCzdJzltZpz/UU4LguQVtc=
github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=

• How could we solve this issue? (Not knowing is okay!)

Nancy should be able to differentiate between pre releases such as alpha alpha1 alpha.1 rc, …

• Anything else?

cc @bhamail / @DarthHater