refactor: move CVSSv4 test from ghsa to osv package

CVSS_V4 is a standard OSV severity type, not unique to GHSA.
Move the test and test data to the osv package where the parsing
logic lives.

Author: knqyf263

pkg/vulnsrc/ghsa/ghsa_test.go

@@ -443,62 +443,6 @@ func TestVulnSrc_Update(t *testing.T) {
 					},
 					Value: map[string]any{},
 				},
-				// CVSSv4: Werkzeug advisory with both V3 and V4
-				{
-					Key: []string{
-						"data-source",
-						"pip::GitHub Security Advisory pip",
-					},
-					Value: types.DataSource{
-						ID:   vulnerability.GHSA,
-						Name: "GitHub Security Advisory pip",
-						URL:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip",
-					},
-				},
-				{
-					Key: []string{
-						"advisory-detail",
-						"CVE-2026-21860",
-						"pip::GitHub Security Advisory pip",
-						"werkzeug",
-					},
-					Value: types.Advisory{
-						VendorIDs: []string{
-							"GHSA-87hc-h4r5-73f7",
-						},
-						PatchedVersions:    []string{"3.1.5"},
-						VulnerableVersions: []string{"<3.1.5"},
-					},
-				},
-				{
-					Key: []string{
-						"vulnerability-detail",
-						"CVE-2026-21860",
-						"ghsa",
-					},
-					Value: types.VulnerabilityDetail{
-						Title:       "Werkzeug safe_join() allows Windows special device names with compound extensions",
-						Description: "Werkzeug's `safe_join` function allows path segments with Windows device names that have file extensions or trailing spaces.",
-						References: []string{
-							"https://github.com/pallets/werkzeug/security/advisories/GHSA-87hc-h4r5-73f7",
-							"https://nvd.nist.gov/vuln/detail/CVE-2026-21860",
-						},
-						Severity:         types.SeverityMedium,
-						CvssVectorV3:     "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
-						CvssScoreV3:      5.3,
-						CvssVectorV40:    "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
-						CvssScoreV40:     6.3,
-						LastModifiedDate: utils.MustTimeParse("2026-02-02T19:57:31Z"),
-						PublishedDate:    utils.MustTimeParse("2026-01-08T19:51:21Z"),
-					},
-				},
-				{
-					Key: []string{
-						"vulnerability-id",
-						"CVE-2026-21860",
-					},
-					Value: map[string]any{},
-				},
 				// NuGet: store original and lowercased package names
 				{
 					Key: []string{

pkg/vulnsrc/osv/osv_test.go

@@ -101,6 +101,50 @@ func TestVulnSrc_Update(t *testing.T) {
 						},
 					},
 				},
+				// CVSSv4: advisory with both V3 and V4
+				{
+					Key: []string{
+						"advisory-detail",
+						"CVE-2026-21860",
+						"pip::Python Packaging Advisory Database",
+						"werkzeug",
+					},
+					Value: types.Advisory{
+						VendorIDs: []string{
+							"PYSEC-2026-1",
+						},
+						PatchedVersions:    []string{"3.1.5"},
+						VulnerableVersions: []string{"<3.1.5"},
+					},
+				},
+				{
+					Key: []string{
+						"vulnerability-detail",
+						"CVE-2026-21860",
+						string(vulnerability.OSV),
+					},
+					Value: types.VulnerabilityDetail{
+						Title:        "Werkzeug safe_join() allows Windows special device names with compound extensions",
+						Description:  "Werkzeug's `safe_join` function allows path segments with Windows device names that have file extensions or trailing spaces.",
+						CvssVectorV3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
+						CvssScoreV3:  5.3,
+						CvssVectorV40: "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
+						CvssScoreV40: 6.3,
+						References: []string{
+							"https://github.com/pallets/werkzeug/security/advisories/GHSA-87hc-h4r5-73f7",
+							"https://nvd.nist.gov/vuln/detail/CVE-2026-21860",
+						},
+						LastModifiedDate: utils.MustTimeParse("2026-02-02T19:57:31Z"),
+						PublishedDate:    utils.MustTimeParse("2026-01-08T19:51:21Z"),
+					},
+				},
+				{
+					Key: []string{
+						"vulnerability-id",
+						"CVE-2026-21860",
+					},
+					Value: map[string]any{},
+				},
 			},
 			noBuckets: [][]string{
 				// skip withdrawn

…-87hc-h4r5-73f7/GHSA-87hc-h4r5-73f7.json …y/vuln-list/osv/python/PYSEC-2026-1.jsonpkg/vulnsrc/ghsa/testdata/happy/ghsa/advisories/github-reviewed/2026/01/GHSA-87hc-h4r5-73f7/GHSA-87hc-h4r5-73f7.json renamed to pkg/vulnsrc/osv/testdata/happy/vuln-list/osv/python/PYSEC-2026-1.json pkg/vulnsrc/ghsa/testdata/happy/ghsa/advisories/github-reviewed/2026/01/GHSA-87hc-h4r5-73f7/GHSA-87hc-h4r5-73f7.json renamed to pkg/vulnsrc/osv/testdata/happy/vuln-list/osv/python/PYSEC-2026-1.json

@@ -1,6 +1,5 @@
 {
-  "schema_version": "1.4.0",
-  "id": "GHSA-87hc-h4r5-73f7",
+  "id": "PYSEC-2026-1",
   "modified": "2026-02-02T19:57:31Z",
   "published": "2026-01-08T19:51:21Z",
   "aliases": [
@@ -48,14 +47,5 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21860"
     }
-  ],
-  "database_specific": {
-    "cwe_ids": [
-      "CWE-67"
-    ],
-    "severity": "MODERATE",
-    "github_reviewed": true,
-    "github_reviewed_at": "2026-01-08T19:51:21Z",
-    "nvd_published_at": "2026-01-08T19:15:59Z"
-  }
+  ]
 }