An invalid uri, that contains characters out of US-ASCII should fail the schema test (with format validation enabled).

We have noticed that an invalid uri https://security.business.xerox.com/wp-content/uploads/2022/11/Xerox-Security-Bulletin-XRX22-026-FreeFlow®-Print-Server-v7.pdf did validate and have been tracking the problem down in gocsaf/csaf#474 .

Here is our extension to your test set:
gocsaf/csaf#474 (comment)

It probably is an upstream defect as you are using url.Parse .

Our fix (until you fix it here) is:
https://github.com/gocsaf/csaf/pull/517/files

Thanks for maintaining a nice schema library as Free Software! :)