Add a 'test_ref' attribute to the 'cve' elements in the advisory pointing to the test in which that particular CVE is tested for package OVAL format.
Also, rename the severity to priority and add cvss_score:
<advisory>
<rights>Copyright (C) 2023 Canonical Ltd.</rights>
<component>universe</component>
<current_version>1:10.0.0+r36-9</current_version>
<cve href="https://ubuntu.com/security/CVE-2016-3861" priority="medium" public="20160911" cvss_score="7.8" cvss_vector="CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" cvss_severity="high" test_ref="oval:com.ubuntu.jammy:tst:22040002700000">CVE-2016-3861</cve>
<cve href="https://ubuntu.com/security/CVE-2016-6762" priority="medium" public="20170112" cvss_score="7.8" cvss_vector="CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" cvss_severity="high" test_ref="oval:com.ubuntu.jammy:tst:22040002700010">CVE-2016-6762</cve>
<cve href="https://ubuntu.com/security/CVE-2017-0647" priority="low" public="20170614" cvss_score="5.5" cvss_vector="CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" cvss_severity="medium" test_ref="oval:com.ubuntu.jammy:tst:22040002700020">CVE-2017-0647</cve>
<cve href="https://ubuntu.com/security/CVE-2017-0841" priority="medium" public="20171116" cvss_score="7.8" cvss_vector="CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" cvss_severity="high" test_ref="oval:com.ubuntu.jammy:tst:22040002700010">CVE-2017-0841</cve>
</advisory>
...
<criteria operator="OR">
<criterion test_ref="oval:com.ubuntu.jammy:tst:22040002700000" comment="(CVE-2016-3861) android-platform-system-core package in jammy, is related to the CVE in some way and has been fixed (note: '1:7.0.0+r1-4')."/>
<criterion test_ref="oval:com.ubuntu.jammy:tst:22040002700010" comment="(CVE-2016-6762) android-platform-system-core package in jammy, is related to the CVE in some way and has been fixed (note: '1:8.1.0+r3-5')."/>
<criterion test_ref="oval:com.ubuntu.jammy:tst:22040002700020" comment="(CVE-2017-0647) android-platform-system-core package in jammy, is related to the CVE in some way and has been fixed (note: '1:7.0.0+r33-2')."/>
<criterion test_ref="oval:com.ubuntu.jammy:tst:22040002700010" comment="(CVE-2017-0841) android-platform-system-core package in jammy, is related to the CVE in some way and has been fixed (note: '1:8.1.0+r3-5')."/>
</criteria>
thanks David!
as shown in the CI results, there are some tests that will need fixing before we merge this, could you please include that?