-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent descriptions from containing only whitespace #232
Comments
The discussion at the QWG meeting today suggested adding a pattern field here to specify at least one non-whitespace character: cve-schema/schema/v5.0/CVE_JSON_5.0_schema.json Lines 669 to 678 in 20a9e97
This was thought to be better than changing: cve-schema/schema/v5.0/CVE_JSON_5.0_schema.json Lines 735 to 741 in 20a9e97
with something like:
so that the change would affect only the descriptions part of a CNA or ADP container. In other words, it would be best to change the meaning of #/definitions/description and thereby force a non-whitespace character in all contexts where #/definitions/description is used (e.g., impacts and rejectedReasons). Among the few people who attended, there was no support for a more general change to the minimum character length. Prohibiting an all-whitespace value helps with these objectives:
Increasing the minimum character length might block some descriptions that have low utility, but providers could simply compose an equally useless description that has more characters. |
Trailing (or possibly leading) whitespace is common here: cve-schema/schema/v5.0/CVE_JSON_5.0_schema.json Lines 669 to 679 in 20a9e97
with more than 4000 CVE Records affected. The common cases are one trailing space, two trailing spaces, one trailing \n character, or two trailing \n characters. Also,
was potentially unintended. It prevents newline characters in the middle of a string (affecting approximately a thousand CVE Records). This can be fixed by:
Leading/trailing whitespace is also seen in version fields, with more than 400 CVE Records affected. The common cases are one trailing space or one leading space. |
Leading/trailing whitespace is also seen in names of vendors and names of products, with more than 2500 CVE Records affected. The common cases are one trailing space or one leading space. One CVE Record was found with trailing versionType whitespace:
|
@ElectricNroff Would you run similar queries against records produced in the last year? This will give us a better sense of what the current record production behavior is. We want a general sense of the magnitude of occurrence. |
For records published in 2023: fields that use the "description" definition - 2049 The large difference for vendor and product fields is mostly explained by one large vendor no longer including a space at the end of the product name. |
Has there been a problem with CNAs providing descriptions with a single character or whitespace in the past? Is this a problem we really need to address? Is this something CVE Services could more easily handle? |
For the past few months, the CVE Services server has done schema validation after stripping leading and trailing whitespace. If the description has only whitespace, container submission fails with
|
That seems like desirable behavior no? Do we want records to be published with blank descriptions? |
Having CVE services strip leading/trailing whitespace before validation is desirable, but when this was discussed many months ago that was just part of the solution. We did intend for the schema to also enforce this as CNA may be using the schema locally to validate before submitting to services - and if we can get things fixed upstream it is better than getting all the way to submission only to have it rejected at that last step. I feel we should ensure that required fields contain some minimal amount of information. They should not contain only whitespace - and it may be desirable to have some minimum number of non-whitespace characters. I'm not too worried about malicious action - deliberately submitting bogus info, but mistakes happen and helping catch them is a good thing, IMHO. Belt-and-suspenders, don't rely only on CVE Services. Who knows what the future may bring and what may change there, let alone other tooling that uses the schema. |
The description field is a required field currently defined with minLength=1, with no pattern constraint. This allows for valid descriptions comprised only of whitespace, as well as descriptions containing just a single character. Whitespace-only descriptions should be made invalid. A larger minimum character length might also be considered.
The text was updated successfully, but these errors were encountered: