GHSA-jf66-3q76-h5p5: Malformed alias with trailing comma

[simon-reisinger-dynatrace]

Describe the bug
The advisory GHSA-jf66-3q76-h5p5 contains a malformed entry in its aliases array. The value GHSA-jf66-3q76-h5p5, includes a trailing comma, making it an invalid GHSA identifier.

To Reproduce

• Query the OSV API: GET https://api.osv.dev/v1/vulns/GHSA-jf66-3q76-h5p5
• Inspect the aliases field in the response
• Observe the second entry is GHSA-jf66-3q76-h5p5, (with a trailing comma)

Expected behaviour

The aliases array should not contain malformed identifiers. The entry should either be corrected to "GHSA-jf66-3q76-h5p5" or removed entirely, since referencing the advisory's own ID in its aliases is redundant.

Screenshots

"aliases": [
  "CVE-2022-1053",
  "GHSA-jf66-3q76-h5p5,",   <-- trailing comma in value
  "PYSEC-2022-184"
]

[jess-lowe]

Hey @simon-reisinger-dynatrace, thanks for finding this! This seems to be an issue with the upstream PYSEC record, so I have made a PR to fix it on the record directly.
I would suggest we add some form of linting for these but unfortunately it's not actually against the schema to have a ',' in an id. I might try bring it up in the next OSV-Schema working group that ',' should be an invalid character of an id.

[simon-reisinger-dynatrace]

Thanks a lot, @jess-lowe! Next time, I'll submit the fix directly upstream.

On the linting idea. Would it make sense to bring a more formal approach to the OSV Schema working group? Rather than just flagging invalid characters, we could define strict patterns for well-known ID types like CVE, GHSA, PYSEC, GO, etc., while still allowing a freeform fallback for lesser-known or future prefixes. Something along these lines:

"allOf":[
   {
      "title":"CVE — if prefix matches, full format is enforced",
      "if":{
         "pattern":"^CVE-"
      },
      "then":{
         "pattern":"^CVE-[0-9]{4}-[0-9]{4,}$",
         "description":"CVE identifier. Format: CVE-YYYY-NNNNN",
         "examples":[
            "CVE-2022-1053",
            "CVE-2021-44228"
         ]
      }
   },
   {
      "title":"GHSA — if prefix matches, full format is enforced",
      "if":{
         "pattern":"^GHSA-"
      },
      "then":{
         "pattern":"^GHSA-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}$",
         "description":"GitHub Security Advisory identifier. Format: GHSA-XXXX-XXXX-XXXX",
         "examples":[
            "GHSA-jf66-3q76-h5p5",
            "GHSA-m6fh-9qb5-6q7r"
         ]
      }
   },
   ..., // other ID patterns
   {
      "title":"Global safety rule",
      "description":"Regardless of prefix, all alias identifiers must only contain alphanumeric characters, hyphens, underscores, or dots.",
      "pattern":"^[A-Za-z0-9_\\-\\.]+$"
   }
]