CVSS v4 parsing issues with OSV

[ctron]

Taking a look at the DS4 dump generator logs, I see a lot of lines like this:

2026-02-17T13:26:33.205309Z WARN run_sync:walk:ingest:load:load: Failed to parse CVSSv4 vector 'CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X': InvalidMetricValue { metric: "CR", value: "X" } base="/mnt/data/builder/work/wd/osv/https%3A%2F%2Fgithub.com%2Fgithub%2Fadvisory-database/advisories" labels=Labels({"importer": "run", "file": "unreviewed/2024/11/GHSA-4fhq-hj5g-3c47/GHSA-4fhq-hj5g-3c47.json", "source": "https://github.com/github/advisory-database"}) digests=Digests { sha512: SHA512:e3403fe8cdab47c1389d74ca3075c24277c3bd59503393c0fe5818c8c854269a31d04477f8ca964f5924abe768ad8302ec3a752f280ab3870f11491cbda5dad4, sha384: SHA384:430462f8b12d27abc92d785f1d594089aac123017095a6d00f9cd75c65b13ab691ad9d1515f6d42daa822933c590ca8b, sha256: SHA256:744fc2fae30d6ea2c7248e...

Not sure this is a data issue, or an issue with our cvss handling.

[helio-frota]

I saw this with osv importer other day:

1. AUTH_DISABLED=true cargo run --bin trustd
2. AUTH_DISABLED=true cargo run --bin trustd importer --db-port $(ss -ltnp | sed '/^$/d' | awk '/postgres/ {print $4}' | cut -d: -f2 | sed '/^$/d')
3. Enable

4. Result:

[himasree424]

I've traced this issue - it's a bug in the cvss-rs crate that Trustify uses for parsing CVSS vectors. The parser incorrectly rejects "X" (Not Defined) values for CVSS v4 supplemental metrics like CR, IR, AR, etc., even though "X" is a valid value according to the CVSS v4.0 specification.

I've submitted PR in the cvss-rs repository. Once that's merged and released, we can update Trustify's dependency and the warnings will go away.