search

google / osv.dev

Open source vulnerability DB and triage service.
https://osv.dev
Apache License 2.0
1.49k stars 186 forks source link

Failed to hydrate an OSV response due to an unexpected severity type format #2335

Closed LeSuisse closed 3 months ago

LeSuisse commented 3 months ago

Full error: API query failed: failed to hydrate OSV response: json: cannot unmarshal number into Go struct field Severity.severity.type of type models.SeverityType

One of the dependency in the project I was scanning was vulnerable to GHSA-25hc-qcg6-38wj.

The API response exposes the severity in the CVSS 4 format:

$ curl https://api.osv.dev/v1/vulns/GHSA-25hc-qcg6-38wj | jq .severity
[
  {
    "type": "CVSS_V3",
    "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
  },
  {
    "type": 3,
    "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"
  }
]

The code seems to expects the string CVSS_V4 instead of the number 3 in this situation.

another-rex commented 3 months ago

This seems to be an issue with our API endpoint, I'll transfer the issue to our osv.dev repo.

hogo6002 commented 3 months ago

same as https://github.com/google/osv.dev/issues/2331

michaelkedar commented 3 months ago

The API should now be fixed to return "type": "CVSS_V4"