CVEProject / cve-schema

This repository is used for the development of the CVE JSON record format. Releases of the CVE JSON record format will also be published here. This repository is managed by the CVE Quality Working Group.
Creative Commons Zero v1.0 Universal
257 stars 141 forks source link

Specifiy CVE Description Format #341

Open jgamblin opened 1 month ago

jgamblin commented 1 month ago

More and More CVES are starting to contain hidden formatting characters and extra spaces that should likely be supported on CVE.org, or the schema should specify that the description is a unicode string.

I will use CVE-2024-44995 as an example of this issue:

As submitted in the JSON File:

In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix a deadlock problem when config TC during resetting\n\nWhen config TC during the reset process, may cause a deadlock, the flow is\nas below:\n                             pf reset start\n                                 │\n                                 ▼\n                              ......\nsetup tc                         │\n    │                            ▼\n    ▼                      DOWN: napi_disable()\nnapi_disable()(skip)             │\n    │                            │\n    ▼                            ▼\n  ......                      ......\n    │                            │\n    ▼                            │\nnapi_enable()                    │\n                                 ▼\n                           UINIT: netif_napi_del()\n                                 │\n                                 ▼\n                              ......\n                                 │\n                                 ▼\n                           INIT: netif_napi_add()\n                                 │\n                                 ▼\n                              ......                 global reset start\n                                 │                      │\n                                 ▼                      ▼\n                           UP: napi_enable()(skip)    ......\n                                 │                      │\n                                 ▼                      ▼\n                              ......                 napi_disable()\n\nIn reset process, the driver will DOWN the port and then UINIT, in this\ncase, the setup tc process will UP the port before UINIT, so cause the\nproblem. Adds a DOWN process in UINIT to fix it."

As Rendered in Text:

Screenshot 2024-09-19 at 2 03 18 PM

As Rendered on CVE.org:

Screenshot 2024-09-19 at 2 03 29 PM

Here is a CSV with CVEs that are causing the most issues matching against a string: SpecialDescription.csv

ccoffin commented 1 month ago

I think this probably needs to be submitted here: https://github.com/CVEProject/cve-website/issues.

jgamblin commented 1 month ago

@ccoffin, should the schema not specify the description's length or type as a plain text string, or should \n, \t, and extra white spaces and emojis be allowed in descriptions?

I am unsure if these 50+ CVEs are skirting an unenforced requirement or if no one is displaying them correctly.