Count HIGH-severity entries in a mock CVE feed

Overview

For each newline-delimited record, look for the literal "severity":"HIGH" substring; tally.

Why it matters

Sometimes you don't need a JSON parser. A pinned substring sweep is enough to triage a thousand-entry feed.

Lesson

Why this matters

Vulnerability feeds (NVD, GHSA, Vendor PSIRTs) are JSON. Reading them properly needs a JSON parser; reading them quickly in a triage pipeline you can get away with a substring sweep.

We won't ship a JSON parser here. We'll write the substring-sweep version so the auditor can spot HIGH-severity entries in a fixture file without pulling in a library.

What the file looks like

{"id":"CVE-2024-0001","severity":"LOW"}
{"id":"CVE-2024-0002","severity":"HIGH"}
{"id":"CVE-2024-0003","severity":"CRITICAL"}
{"id":"CVE-2024-0004","severity":"HIGH"}

Your job

Implement int count_high_severity(const char *json). Walk the input line by line; on each line that contains "severity":"HIGH" exactly, increment the counter. Return the count, or 0 for NULL.

Common mistakes

• Matching HIGH against a line that contains "HIGHER". Pin the match: "severity":"HIGH" — start AND end of the value.
• Treating "HIGH" in any field's value as a hit. Only the severity key counts.

What this is NOT

• A JSON parser. Comments, escapes, whitespace variation — all ignored.
• A CVSS scorer.

Summary

Line walker + one strstr per line. Pin both start and end of the value.

Practice with these exercises

• Count HIGH-severity entries in a mock CVE JSON feed