search

google / osv.dev

Open source vulnerability DB and triage service.
https://osv.dev
Apache License 2.0
1.45k stars 173 forks source link

OSV API Response is Inconsistent with Schema #2337

Closed abhisek closed 5 days ago

abhisek commented 1 week ago

Describe the bug

The severity[].type field for a vulnerability in OSV schema is defined as string https://github.com/ossf/osv-schema/blob/main/validation/schema.json#L320

However an integer is returned in the OSV API response breaking schema validation in consumer tools.

To Reproduce

curl -s -d \
  '{"package": {"name": "js2py", "ecosystem": "PyPI"}, "version": "0.74"}' \
  "https://api.osv.dev/v1/query" | jq '.vulns[0].severity'
{
    "type": 3,
    "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
  }

Expected behaviour

As per schema, type should be a string enum

CVSS_V2
CVSS_V3
CVSS_V4

Screenshots

Screenshot 2024-06-24 at 2 49 22 PM

Additional context

N/A

abhisek commented 1 week ago

This issue seems to be data quality issue and related to https://github.com/google/osv.dev/issues/2331

michaelkedar commented 5 days ago

The API should now be correctly returning "type": "CVSS_V4" in these cases.

Thanks for reporting this! Let us know if you're still encountering this issue.