Validation of 'repo' field fails against URI format #458
Description
As in the old issue #196, I validated all current CVE's against the (bundled) schema.
I found the 'repo' property (line 337) is validated against the uri format (following json-schema definition this should be verified against RFC3986).
In my understanding, git repo uri's don't strictly validate against RFC3986), as seen in the code comment here 'a slightly looser check'. The examples I have tried indeed fail on tools like here.
This means validation fails for (currently) 346 CVE's. Examples are:
- CVE-2025-6454 with "repo": "git://[email protected]:gitlab-org/gitlab.git". See gitlab 'clone with SSH' for the matching uri.
- CVE-2025-9341 with "repo": "ssh://[email protected]:bc-fips-2.1.X-java.git"
- ...
- CVE-2022-4343 again gitlab.
As a work-around I relaxed the validation specifically for the 'repo' field, and as a result, every CVE was valid.
I have not been able to find a good 'git url' definition btw. This is already pretty far down the rabbit hole for me.