since #168 is what begat #178 a ~year ago, I figured I'd run this PR over all of the Haskell security advisories, and HSEC-2023-0003 doesn't (to me, legitimately) validate:
instance /usr/local/google/home/apollock/gosst/osv/security-advisories/2023/HSEC-2023-0003.json: failed
jsonschema validation failed with 'file:///usr/local/google/home/apollock/gosst/osv/osv-schema/validation/schema.json#'
- at '/affected/0/severity/0': allOf failed
- at '/affected/0/severity/0/score': 'CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P' does not match pattern '^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H'
This is indeed a bug: the vector string should not include the prefix CVSS:2.0/. (Later versions of CVSS do include the prefix, but CVSS v2 does not).
Originally posted by @andrewpollock in https://github.com/ossf/osv-schema/issues/251#issuecomment-2224366177
since #168 is what begat #178 a ~year ago, I figured I'd run this PR over all of the Haskell security advisories, and HSEC-2023-0003 doesn't (to me, legitimately) validate:
This is indeed a bug: the vector string should not include the prefix
CVSS:2.0/. (Later versions of CVSS do include the prefix, but CVSS v2 does not).