Failed to hydrate an OSV response due to an unexpected severity type format

[LeSuisse]

Full error: API query failed: failed to hydrate OSV response: json: cannot unmarshal number into Go struct field Severity.severity.type of type models.SeverityType

One of the dependency in the project I was scanning was vulnerable to GHSA-25hc-qcg6-38wj.

The API response exposes the severity in the CVSS 4 format:

$ curl https://api.osv.dev/v1/vulns/GHSA-25hc-qcg6-38wj | jq .severity
[
  {
    "type": "CVSS_V3",
    "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
  },
  {
    "type": 3,
    "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"
  }
]

The code seems to expects the string CVSS_V4 instead of the number 3 in this situation.

[another-rex]

This seems to be an issue with our API endpoint, I'll transfer the issue to our osv.dev repo.

[hogo6002]

same as #2331

[michaelkedar]

The API should now be fixed to return "type": "CVSS_V4"