Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent descriptions from containing only whitespace #232

Open
slubar opened this issue Apr 25, 2023 · 9 comments · May be fixed by #238
Open

Prevent descriptions from containing only whitespace #232

slubar opened this issue Apr 25, 2023 · 9 comments · May be fixed by #238
Assignees
Labels
Needs Discussion Discuss in a future QWG meeting or on mailing list

Comments

@slubar
Copy link
Contributor

slubar commented Apr 25, 2023

The description field is a required field currently defined with minLength=1, with no pattern constraint. This allows for valid descriptions comprised only of whitespace, as well as descriptions containing just a single character. Whitespace-only descriptions should be made invalid. A larger minimum character length might also be considered.

@ElectricNroff
Copy link

The discussion at the QWG meeting today suggested adding a pattern field here to specify at least one non-whitespace character:

"description": {
"type": "object",
"description": "Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.",
"properties": {
"lang": {"$ref": "#/definitions/language"},
"value": {
"type": "string",
"description": "Plain text description.",
"minLength": 1,
"maxLength": 4096

This was thought to be better than changing:

"descriptions": {
"type": "array",
"description": "A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].",
"minItems": 1,
"uniqueItems": true,
"items": {
"$ref": "#/definitions/description"

with something like:

"#/definitions/descriptionWithNonWhitespace"

so that the change would affect only the descriptions part of a CNA or ADP container. In other words, it would be best to change the meaning of #/definitions/description and thereby force a non-whitespace character in all contexts where #/definitions/description is used (e.g., impacts and rejectedReasons).

Among the few people who attended, there was no support for a more general change to the minimum character length. Prohibiting an all-whitespace value helps with these objectives:

  • not accepting a submission when the provider simply forgot to fill out the field
  • avoiding some types of anomalous data processing, e.g., a plausible JSON-aware application has an initial processing stage that removes leading and trailing whitespace from strings, and a second processing stage that expects that all fields are True in a boolean context. Because an empty string is considered false in some languages (e.g., Python), the application could have unexpected behavior.

Increasing the minimum character length might block some descriptions that have low utility, but providers could simply compose an equally useless description that has more characters.

@chandanbn chandanbn added this to the CVE Record JSON Format 5.0.1 milestone May 11, 2023
@david-waltermire david-waltermire self-assigned this Jun 8, 2023
david-waltermire added a commit to david-waltermire/cve-schema that referenced this issue Jun 22, 2023
david-waltermire added a commit to david-waltermire/cve-schema that referenced this issue Jun 22, 2023
@ElectricNroff
Copy link

Trailing (or possibly leading) whitespace is common here:

"description": {
"type": "object",
"description": "Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.",
"properties": {
"lang": {"$ref": "#/definitions/language"},
"value": {
"type": "string",
"description": "Plain text description.",
"minLength": 1,
"maxLength": 4096
},

with more than 4000 CVE Records affected. The common cases are one trailing space, two trailing spaces, one trailing \n character, or two trailing \n characters.

Also,

"^(?:\\S|\\S.*\\S)$"

was potentially unintended. It prevents newline characters in the middle of a string (affecting approximately a thousand CVE Records). This can be fixed by:

"^(?:\\S|\\S[\\s\\S]*\\S)$"

Leading/trailing whitespace is also seen in version fields, with more than 400 CVE Records affected. The common cases are one trailing space or one leading space.

@ElectricNroff
Copy link

Leading/trailing whitespace is also seen in names of vendors and names of products, with more than 2500 CVE Records affected. The common cases are one trailing space or one leading space.

One CVE Record was found with trailing versionType whitespace:

CVE-2023-1900

"versionType":"1.0.2303.633 "

@david-waltermire
Copy link
Collaborator

david-waltermire commented Jul 6, 2023

@ElectricNroff Would you run similar queries against records produced in the last year? This will give us a better sense of what the current record production behavior is. We want a general sense of the magnitude of occurrence.

@ElectricNroff
Copy link

For records published in 2023:

fields that use the "description" definition - 2049
version fields - 166
vendor and product fields - 279

The large difference for vendor and product fields is mostly explained by one large vendor no longer including a space at the end of the product name.

@david-waltermire david-waltermire modified the milestones: CVE Record JSON Format 5.0.1, CVE Record JSON Format v5.1, CVE Record JSON Format v5.2.0 Sep 28, 2023
@ccoffin ccoffin added the Needs Discussion Discuss in a future QWG meeting or on mailing list label Nov 13, 2024
@ccoffin
Copy link
Collaborator

ccoffin commented Nov 13, 2024

Has there been a problem with CNAs providing descriptions with a single character or whitespace in the past? Is this a problem we really need to address? Is this something CVE Services could more easily handle?

@ElectricNroff
Copy link

For the past few months, the CVE Services server has done schema validation after stripping leading and trailing whitespace. If the description has only whitespace, container submission fails with

{"error":"INVALID_JSON_SCHEMA","message":"CVE cnaContainer JSON schema validation FAILED.",
"details":{"errors [{"instancePath":"/cnaContainer/descriptions/0/value",
"schemaPath":"#/properties/value/minLength","keyword":"minLength","params":{"limit":1},
"message":"must NOT have fewer than 1 characters"}]}}

@darakian
Copy link

If the description has only whitespace, container submission fails with

That seems like desirable behavior no? Do we want records to be published with blank descriptions?

@MrMegaZone
Copy link
Collaborator

Having CVE services strip leading/trailing whitespace before validation is desirable, but when this was discussed many months ago that was just part of the solution. We did intend for the schema to also enforce this as CNA may be using the schema locally to validate before submitting to services - and if we can get things fixed upstream it is better than getting all the way to submission only to have it rejected at that last step.

I feel we should ensure that required fields contain some minimal amount of information. They should not contain only whitespace - and it may be desirable to have some minimum number of non-whitespace characters.

I'm not too worried about malicious action - deliberately submitting bogus info, but mistakes happen and helping catch them is a good thing, IMHO. Belt-and-suspenders, don't rely only on CVE Services. Who knows what the future may bring and what may change there, let alone other tooling that uses the schema.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Needs Discussion Discuss in a future QWG meeting or on mailing list
Projects
None yet
7 participants