cybersecurity · intermediate · ~15 min · safe pentest lab

Count HIGH-severity entries in a mock CVE JSON feed

Pinned-substring matching with adjacency checks.

Challenge

Your job

Implement:

int count_high_severity(const char *json);

Walk the input one \n-delimited record at a time. For each record that contains the exact substring "severity":"HIGH", increment a counter. Return the total, or 0 for NULL.

Examples

'{"severity":"HIGH"}\n{"severity":"LOW"}\n' → 1
'{"severity":"HIGHEST"}\n' → 0 (must end in ", not EST)
'{"name":"HIGH"}\n' → 0 (key is name, not severity)

Hints

(concept) strstr(line, "\"severity\":\"HIGH\"") does most of the work. Check the byte right after the match is " (or end of line) — otherwise HIGHEST will match.
(common bug) Trusting strstr(line, "HIGH") alone. That gets fooled by HIGHER, HIGHEST, HIGHWAY, etc.

Why this matters

Triaging a CVE feed line-by-line with a pinned substring sweep is the fastest path from feed → alert. The lesson is in being precise about what you match.

Input format

A NUL-terminated string of \n-separated mock JSON records.

Output format

Count (>= 0). 0 on NULL.

Constraints

The full needle is "severity":"HIGH" followed by ". Match the closing quote.

Starter code

int count_high_severity(const char *json) {
    /* TODO */
    (void)json;
    return 0;
}

Common mistakes

Trusting strstr("HIGH") alone. Forgetting to advance past the match — infinite loop. Counting "name":"HIGH" because the key wasn't pinned.

Edge cases to handle

Trailing record without newline. Mixed-case (we only accept all-caps HIGH).

Complexity

O(n) where n is the input length.

Background lessons

Count HIGH-severity entries in a mock CVE feed

Up next

Score a URL for phishing structural smells

Solve this exercise in the browser editor — compile and run against the test harness, no setup required.