@@ -374,19 +374,23 @@ def test_nvd_format_data_malformed_cvss_vector():
374374 [
375375 "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" ,
376376 "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" ,
377- ], # Wrong version prefix
377+ ], # Valid v3.0 vector
378378 [
379- "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:HSC :H/SI:H/SA:H" ,
380- "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:HSC :H/SI:H/SA:H" ,
381- ], # No delimiter between VA and SC
379+ "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC :H/SI:H/SA:H" ,
380+ "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC :H/SI:H/SA:H" ,
381+ ], # Valid v4.0 vector
382382 [
383383 "CVSS:40/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" ,
384384 "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" ,
385385 ], # Missing decimal in version
386386 [
387- "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/<script>alert(1)</script>" ,
388- "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/alert(1)" ,
389- ], # Injection attempt - updated expected result
387+ "<script>CVSS:4.0/AV:N/AC:L/AT:N</script>" ,
388+ "CVSS:4.0/AV:N/AC:L/AT:N" ,
389+ ],
390+ [
391+ "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H#$%^&" ,
392+ "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" ,
393+ ],
390394 ["" , "" ], # Empty string
391395 ]
392396
@@ -413,12 +417,14 @@ def test_nvd_format_data_malformed_cvss_vector():
413417
414418 severity_data , _ = nvd .format_data ([cve_item ])
415419
416- assert len (severity_data ) == 1
420+ # Skip empty cases
421+ if not vector :
422+ assert severity_data [0 ]["CVSS_vector" ] == expected
423+ continue
424+
417425 # Check that the vector was cleaned as expected
418426 assert severity_data [0 ]["CVSS_vector" ] == expected
419- assert (
420- severity_data [0 ]["CVSS_version" ] == 4
421- ) # Should still use the specified version
427+ assert severity_data [0 ]["CVSS_version" ] == 4
422428
423429
424430def test_nvd_format_data_mixed_cvss_metrics ():
0 commit comments