fix: enforce severity/cvss validation for security advisory writes

Implement validateSeverityOrCVSS that was documented but missing from
the prior commit. Create requires exactly one of severity or
cvssVectorString; update rejects both together. Also require package
name in vulnerability schema per GitHub API.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: advancedresearcharray

README.md

@@ -1362,12 +1362,12 @@ The following sets of tools are available:
   - **Accepted OAuth Scopes**: `repo`, `security_events`
   - `credits`: Users credited for the advisory. (object[], optional)
   - `cveId`: The CVE ID to assign to the advisory. (string, optional)
-  - `cvssVectorString`: The CVSS vector string for the advisory. Exactly one of severity or cvssVectorString is required. (string, optional)
+  - `cvssVectorString`: The CVSS vector string for the advisory. (string, optional)
   - `cweIds`: Common Weakness Enumeration IDs (for example, ["CWE-79"]). (string[], optional)
   - `description`: A detailed description of the security advisory. (string, required)
   - `owner`: The owner of the repository. (string, required)
   - `repo`: The name of the repository. (string, required)
-  - `severity`: The severity of the advisory. Exactly one of severity or cvssVectorString is required. (string, optional)
+  - `severity`: The severity of the advisory. (string, optional)
   - `startPrivateFork`: Whether to create a temporary private fork for collaborating on a fix. (boolean, optional)
   - `summary`: A short summary of the security advisory. (string, required)
   - `vulnerabilities`: Affected products and version ranges. (object[], required)
@@ -1421,13 +1421,13 @@ The following sets of tools are available:
   - **Accepted OAuth Scopes**: `repo`, `security_events`
   - `credits`: Users credited for the advisory. (object[], optional)
   - `cveId`: The CVE ID to assign to the advisory. (string, optional)
-  - `cvssVectorString`: The CVSS vector string for the advisory. Cannot be set together with severity. (string, optional)
+  - `cvssVectorString`: The CVSS vector string for the advisory. (string, optional)
   - `cweIds`: Common Weakness Enumeration IDs (for example, ["CWE-79"]). (string[], optional)
   - `description`: A detailed description of the security advisory. (string, optional)
   - `ghsaId`: GitHub Security Advisory ID (format: GHSA-xxxx-xxxx-xxxx). (string, required)
   - `owner`: The owner of the repository. (string, required)
   - `repo`: The name of the repository. (string, required)
-  - `severity`: The severity of the advisory. Cannot be set together with cvssVectorString. (string, optional)
+  - `severity`: The severity of the advisory. (string, optional)
   - `state`: The advisory state. Set to "published" to publish the advisory. (string, optional)
   - `summary`: A short summary of the security advisory. (string, optional)
   - `vulnerabilities`: Affected products and version ranges. (object[], optional)

pkg/github/__toolsnaps__/create_repository_security_advisory.snap

@@ -114,7 +114,8 @@
                 }
               },
               "required": [
-                "ecosystem"
+                "ecosystem",
+                "name"
               ],
               "type": "object"
             },

pkg/github/__toolsnaps__/update_repository_security_advisory.snap

@@ -124,7 +124,8 @@
                 }
               },
               "required": [
-                "ecosystem"
+                "ecosystem",
+                "name"
               ],
               "type": "object"
             },

pkg/github/security_advisories_write.go

@@ -30,7 +30,7 @@ var securityAdvisoryPackageSchema = &jsonschema.Schema{
 			Description: "The package name.",
 		},
 	},
-	Required: []string{"ecosystem"},
+	Required: []string{"ecosystem", "name"},
 }
 
 var securityAdvisoryVulnerabilitySchema = &jsonschema.Schema{
@@ -162,6 +162,18 @@ func optionalStringPtr(value string) *string {
 	return &value
 }
 
+func validateSeverityOrCVSS(severity, cvssVectorString string, requireOne bool) error {
+	hasSeverity := severity != ""
+	hasCVSS := cvssVectorString != ""
+	if hasSeverity && hasCVSS {
+		return fmt.Errorf("severity and cvssVectorString cannot both be set")
+	}
+	if requireOne && !hasSeverity && !hasCVSS {
+		return fmt.Errorf("exactly one of severity or cvssVectorString must be provided")
+	}
+	return nil
+}
+
 func marshalRepositorySecurityAdvisoryResponse(advisory *github.SecurityAdvisory) (*mcp.CallToolResult, error) {
 	r, err := json.Marshal(advisory)
 	if err != nil {
@@ -301,6 +313,9 @@ func CreateRepositorySecurityAdvisory(t translations.TranslationHelperFunc) inve
 			if err != nil {
 				return utils.NewToolResultError(err.Error()), nil, nil
 			}
+			if err := validateSeverityOrCVSS(severity, cvssVectorString, true); err != nil {
+				return utils.NewToolResultError(err.Error()), nil, nil
+			}
 
 			requestBody := createRepositorySecurityAdvisoryRequest{
 				Summary:          summary,
@@ -464,6 +479,9 @@ func UpdateRepositorySecurityAdvisory(t translations.TranslationHelperFunc) inve
 			if err != nil {
 				return utils.NewToolResultError(err.Error()), nil, nil
 			}
+			if err := validateSeverityOrCVSS(severity, cvssVectorString, false); err != nil {
+				return utils.NewToolResultError(err.Error()), nil, nil
+			}
 
 			requestBody := updateRepositorySecurityAdvisoryRequest{}
 			if summary != "" {

pkg/github/security_advisories_write_test.go

@@ -137,6 +137,38 @@ func Test_CreateRepositorySecurityAdvisory(t *testing.T) {
 			expectError:    true,
 			expectedErrMsg: "missing required parameter: summary",
 		},
+		{
+			name: "missing severity and cvss",
+			mockedClient: MockHTTPClientWithHandlers(map[string]http.HandlerFunc{
+				PostReposSecurityAdvisoriesByOwnerByRepo: mockResponse(t, http.StatusCreated, mockAdvisory),
+			}),
+			requestArgs: map[string]any{
+				"owner":           "octo",
+				"repo":            "hello-world",
+				"summary":         "Stored XSS in Core",
+				"description":     "A stored XSS vulnerability in Core.",
+				"vulnerabilities": sampleAdvisoryVulnerabilities(),
+			},
+			expectError:    true,
+			expectedErrMsg: "exactly one of severity or cvssVectorString must be provided",
+		},
+		{
+			name: "both severity and cvss set",
+			mockedClient: MockHTTPClientWithHandlers(map[string]http.HandlerFunc{
+				PostReposSecurityAdvisoriesByOwnerByRepo: mockResponse(t, http.StatusCreated, mockAdvisory),
+			}),
+			requestArgs: map[string]any{
+				"owner":            "octo",
+				"repo":             "hello-world",
+				"summary":          "Stored XSS in Core",
+				"description":      "A stored XSS vulnerability in Core.",
+				"severity":         "high",
+				"cvssVectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+				"vulnerabilities":  sampleAdvisoryVulnerabilities(),
+			},
+			expectError:    true,
+			expectedErrMsg: "severity and cvssVectorString cannot both be set",
+		},
 		{
 			name: "API error handling",
 			mockedClient: MockHTTPClientWithHandlers(map[string]http.HandlerFunc{
@@ -150,6 +182,7 @@ func Test_CreateRepositorySecurityAdvisory(t *testing.T) {
 				"repo":            "hello-world",
 				"summary":         "Stored XSS in Core",
 				"description":     "A stored XSS vulnerability in Core.",
+				"severity":        "high",
 				"vulnerabilities": sampleAdvisoryVulnerabilities(),
 			},
 			expectError:    true,
@@ -261,6 +294,21 @@ func Test_UpdateRepositorySecurityAdvisory(t *testing.T) {
 			expectError:    true,
 			expectedErrMsg: "at least one of summary, description, vulnerabilities, cveId, cweIds, severity, cvssVectorString, credits, or state must be provided for update",
 		},
+		{
+			name: "both severity and cvss set on update",
+			mockedClient: MockHTTPClientWithHandlers(map[string]http.HandlerFunc{
+				PatchReposSecurityAdvisoriesByOwnerByRepoByGhsaID: mockResponse(t, http.StatusOK, mockAdvisory),
+			}),
+			requestArgs: map[string]any{
+				"owner":            "octo",
+				"repo":             "hello-world",
+				"ghsaId":           "GHSA-xxxx-xxxx-xxxx",
+				"severity":         "high",
+				"cvssVectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+			},
+			expectError:    true,
+			expectedErrMsg: "severity and cvssVectorString cannot both be set",
+		},
 		{
 			name: "API error handling",
 			mockedClient: MockHTTPClientWithHandlers(map[string]http.HandlerFunc{
@@ -448,3 +496,19 @@ func Test_ParseAdvisoryVulnerabilities(t *testing.T) {
 		assert.Equal(t, "example-package", *vulns[0].Package.Name)
 	})
 }
+
+func Test_validateSeverityOrCVSS(t *testing.T) {
+	t.Run("create requires exactly one", func(t *testing.T) {
+		assert.NoError(t, validateSeverityOrCVSS("high", "", true))
+		assert.NoError(t, validateSeverityOrCVSS("", "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", true))
+		assert.Error(t, validateSeverityOrCVSS("", "", true))
+		assert.Error(t, validateSeverityOrCVSS("high", "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", true))
+	})
+
+	t.Run("update rejects both but allows neither", func(t *testing.T) {
+		assert.NoError(t, validateSeverityOrCVSS("", "", false))
+		assert.NoError(t, validateSeverityOrCVSS("high", "", false))
+		assert.NoError(t, validateSeverityOrCVSS("", "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", false))
+		assert.Error(t, validateSeverityOrCVSS("high", "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", false))
+	})
+}