As in the old issue #196, I validated all current CVE's against the (bundled) schema.
I found the 'repo' property (line 337) is validated against the uri format (following json-schema definition this should be verified against RFC3986).
In my understanding, git repo uri's don't strictly validate against RFC3986), as seen in the code comment here 'a slightly looser check'. The examples I have tried indeed fail on tools like here.
This means validation fails for (currently) 346 CVE's. Examples are:
As a work-around I relaxed the validation specifically for the 'repo' field, and as a result, every CVE was valid.
I have not been able to find a good 'git url' definition btw. This is already pretty far down the rabbit hole for me.
As in the old issue #196, I validated all current CVE's against the (bundled) schema.
I found the 'repo' property (line 337) is validated against the uri format (following json-schema definition this should be verified against RFC3986).
In my understanding, git repo uri's don't strictly validate against RFC3986), as seen in the code comment here 'a slightly looser check'. The examples I have tried indeed fail on tools like here.
This means validation fails for (currently) 346 CVE's. Examples are:
As a work-around I relaxed the validation specifically for the 'repo' field, and as a result, every CVE was valid.
I have not been able to find a good 'git url' definition btw. This is already pretty far down the rabbit hole for me.