containers.cna.source.defect has multiple data types

[jayjacobs]

The data in the field "containers.cna.source.defect" is stored in multiple different data types.

I will include a list of data types (with CVE counts): and a few samples here:

• list of str (2606): CVE-2019-0040, CVE-2020-1666, CVE-2021-31998, CVE-2022-42786, CVE-2023-24502
• list of list (2179): CVE-2021-1300, CVE-2020-3362, CVE-2018-0453, CVE-2019-12624, CVE-2020-3236
• list of length 0 (2): CVE-2021-32692, CVE-2022-3569
• str (17): CVE-2023-41705, CVE-2023-41703, CVE-2024-23187, CVE-2024-23191, CVE-2023-29052

I would suggest that we fix the data as it is stored and see if we can't add something in the schema to more strictly validate this field.

[sei-vsarvepalli]

Related to https://github.com/CVEProject/cve-schema/issues/339

The "source" section has no schema definitions at all. It is open-ended object perhaps? I am not sure if JSON schema actually is valid with an object that has no "properties" at all defined.