I think there are realistic cases of multiple English descriptions that won't have everyone's expected behavior within CVE Services. This is not about corner cases such as en-GB-oed (supposed to be allowed but isn't); it's about usage patterns that will probably come up for some CNAs.
For CVE Services testing, is it important that both of these also fail?
{
"lang": "en-US",
"value": "This is my first English description."
},
{
"lang": "en-US",
"value": "This is my second English description."
}
{
"lang": "EN",
"value": "This is my first English description."
},
{
"lang": "EN",
"value": "This is my second English description."
}
Is it OK for a CNA to customize descriptions to reflect differences in product behavior across different English language editions, e.g.,
{
"lang": "en-US",
"value": "ABC 1.2 has incorrect permissions for the administrative directory (C:\AdminCenter by default)."
},
{
"lang": "en-GB",
"value": "ABC 1.2 has incorrect permissions for the administrative directory (C:\AdminCentre by default)."
}
I think there are realistic cases of multiple English descriptions that won't have everyone's expected behavior within CVE Services. This is not about corner cases such as en-GB-oed (supposed to be allowed but isn't); it's about usage patterns that will probably come up for some CNAs.
https://github.com/CVEProject/cve-services/blob/7397f13b420293754f992132dbd9495117556579/src/controller/cve.controller/cve.middleware.js#L55-L61 checks for en as the value of lang.
If more than one is found, an API request will fail in certain cases, e.g., https://github.com/CVEProject/cve-services/blob/7397f13b420293754f992132dbd9495117556579/src/controller/cve.controller/index.js#L55-L62
For CVE Services testing, is it important that both of these also fail?
Is it OK for a CNA to customize descriptions to reflect differences in product behavior across different English language editions, e.g.,
?