Describe the bug
The severity[].type field for a vulnerability in OSV schema is defined as string
https://github.com/ossf/osv-schema/blob/main/validation/schema.json#L320
However an integer is returned in the OSV API response breaking schema validation in consumer tools.
To Reproduce
- Request for vulnerabilities affecting
js2py==0.74
curl -s -d \
'{"package": {"name": "js2py", "ecosystem": "PyPI"}, "version": "0.74"}' \
"https://api.osv.dev/v1/query" | jq '.vulns[0].severity'
- Observe numeric type in response
{
"type": 3,
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
Expected behaviour
As per schema, type should be a string enum
Screenshots
Additional context
N/A
Describe the bug
The
severity[].typefield for a vulnerability in OSV schema is defined asstringhttps://github.com/ossf/osv-schema/blob/main/validation/schema.json#L320
However an integer is returned in the OSV API response breaking schema validation in consumer tools.
To Reproduce
js2py==0.74Expected behaviour
As per schema,
typeshould be a string enumScreenshots
Additional context
N/A