fix: validate severity/cvss mutual exclusivity for security advisories

advancedresearcharray · advancedresearcharray · commit a2f8099f8440 · 2026-06-08T03:43:55.000Z
GitHub's create advisory API requires exactly one of severity or
cvss_vector_string. Reject invalid combinations at the MCP layer with
clear errors, and add regression tests.
diff --git a/README.md b/README.md
@@ -1362,12 +1362,12 @@ The following sets of tools are available:
   - **Accepted OAuth Scopes**: `repo`, `security_events`
   - `credits`: Users credited for the advisory. (object[], optional)
   - `cveId`: The CVE ID to assign to the advisory. (string, optional)
-  - `cvssVectorString`: The CVSS vector string for the advisory. (string, optional)
+  - `cvssVectorString`: The CVSS vector string for the advisory. Exactly one of severity or cvssVectorString is required. (string, optional)
   - `cweIds`: Common Weakness Enumeration IDs (for example, ["CWE-79"]). (string[], optional)
   - `description`: A detailed description of the security advisory. (string, required)
   - `owner`: The owner of the repository. (string, required)
   - `repo`: The name of the repository. (string, required)
-  - `severity`: The severity of the advisory. (string, optional)
+  - `severity`: The severity of the advisory. Exactly one of severity or cvssVectorString is required. (string, optional)
   - `startPrivateFork`: Whether to create a temporary private fork for collaborating on a fix. (boolean, optional)
   - `summary`: A short summary of the security advisory. (string, required)
   - `vulnerabilities`: Affected products and version ranges. (object[], required)
@@ -1421,13 +1421,13 @@ The following sets of tools are available:
   - **Accepted OAuth Scopes**: `repo`, `security_events`
   - `credits`: Users credited for the advisory. (object[], optional)
   - `cveId`: The CVE ID to assign to the advisory. (string, optional)
-  - `cvssVectorString`: The CVSS vector string for the advisory. (string, optional)
+  - `cvssVectorString`: The CVSS vector string for the advisory. Cannot be set together with severity. (string, optional)
   - `cweIds`: Common Weakness Enumeration IDs (for example, ["CWE-79"]). (string[], optional)
   - `description`: A detailed description of the security advisory. (string, optional)
   - `ghsaId`: GitHub Security Advisory ID (format: GHSA-xxxx-xxxx-xxxx). (string, required)
   - `owner`: The owner of the repository. (string, required)
   - `repo`: The name of the repository. (string, required)
-  - `severity`: The severity of the advisory. (string, optional)
+  - `severity`: The severity of the advisory. Cannot be set together with cvssVectorString. (string, optional)
   - `state`: The advisory state. Set to "published" to publish the advisory. (string, optional)
   - `summary`: A short summary of the security advisory. (string, optional)
   - `vulnerabilities`: Affected products and version ranges. (object[], optional)
diff --git a/pkg/github/security_advisories_write_test.go b/pkg/github/security_advisories_write_test.go
@@ -93,6 +93,36 @@ func Test_CreateRepositorySecurityAdvisory(t *testing.T) {
 			expectError:      false,
 			expectedAdvisory: mockAdvisory,
 		},
+		{
+			name: "successful advisory creation with cvss only",
+			mockedClient: MockHTTPClientWithHandlers(map[string]http.HandlerFunc{
+				PostReposSecurityAdvisoriesByOwnerByRepo: expectRequestBody(t, map[string]any{
+					"summary":            "Stored XSS in Core",
+					"description":        "A stored XSS vulnerability in Core.",
+					"cvss_vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+					"vulnerabilities": []any{
+						map[string]any{
+							"package": map[string]any{
+								"ecosystem": "npm",
+								"name":      "example-package",
+							},
+							"vulnerable_version_range": "< 2.0.0",
+							"patched_versions":         "2.0.0",
+						},
+					},
+				}).andThen(mockResponse(t, http.StatusCreated, mockAdvisory)),
+			}),
+			requestArgs: map[string]any{
+				"owner":            "octo",
+				"repo":             "hello-world",
+				"summary":          "Stored XSS in Core",
+				"description":      "A stored XSS vulnerability in Core.",
+				"cvssVectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+				"vulnerabilities":  sampleAdvisoryVulnerabilities(),
+			},
+			expectError:      false,
+			expectedAdvisory: mockAdvisory,
+		},
 		{
 			name: "missing required summary",
 			mockedClient: MockHTTPClientWithHandlers(map[string]http.HandlerFunc{
