Encourage longer descriptions #439
Conversation
Call me crazy, but I think a single character for a description isn't particularly useful. Let's say 5 characters. CWE-1 is five characters.
| @@ -823,7 +823,7 @@ | |||
| "value": { | |||
| "type": "string", | |||
| "description": "Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.", | |||
| "minLength": 1, | |||
| "minLength": 5, | |||
There was a problem hiding this comment.
Technically, the minimum a base64 string can be is 4 characters. A five character ASCII string becomes a 9 character base64 string. If you want to be consistent with the other proposed minimum.
|
I think it should be at least 4 so Mitre can't publish CVEs with Now, one could argue that since MITRE uses "n/a" for many of these fields (such as this one), which of course has a length of 3, the shortest description should be "n/a n/a Vulnerability" which is 21, so we would need to make accommodation for ultra short descriptions of length 21. So given how many CVEs that MITRE has published with "n/a" everywhere, my recommendation would be 21. Unless of course, we're also going to allow "na" or "NA", in which case it would have to be 19. However, the schema also allows these fields to be of length 1, so |
|
Coincidentally, the description for the vuln associated with the vuln w/the shortest title [above] has a length of 579. I have removed the " Was ZDI-CAN-12345." from that length since that's specific to our style. We also have I believe 4 newlines in there as well, so let's call it 575. Clearly however, that's not going to work for descriptions published by MITRE, or most CNAs honestly, but hey at least they use CVSS 3.1. Well, ya know, when they actually include CVSS at all, which they don't do. See this aforementioned CVE. Maybe the folks from VulnCheck could weight in any other lengths we could increase? |
|
Appreciate the sentiment, as CVEs without any effective description are super fun and useful 😅 That said, would rather this is approached with a tangible solution in mind. Character limits are arbitrary and useless – though I understand the minimum of 1 just to psychologically encourage good behavior. If all we require is “at least one character,” we’re effectively saying “just put something,” not “put something meaningful.” Probably worth revisiting the actual rules and start to move us towards a something that both produces value + is enforceable. Rather than wrestling over arbitrary character counts, let’s lean on CNAs to actually write descriptions that convey who, what, and how. It’s CNA behavior—not JSON-schema tweaks—that will move the needle. It's also something that could probably be instrumented at the tooling level, for those using Vulnogram / if the CVE project spun up it's own frontend. An upfront simple check + "hey, your description looks lame. Want AI to take a stab at it for you or can you do it on your own like a big kid?" + a public shame campaign (ie informal/playful leaderboard of offenders) for those who don't do the minimum is far less arbitrary & far more effective IME. |
|
As complex as JSON Schema can be (I consider it to be its own DSL), it can't do anything beyond RegEx in this situation. It's about structure, not quality. For once, I vote for AI here LOL |
|
All I'm saying is that you could enforce just a little more rigor in basic JSON. For example, you could have a regex match of But it's an easy schema change to at least set an absolute floor of verbosity in text descriptions. If you wanted to automate for quality, you at least need something like this, but should prefer something more than this. |
|
I'll link in this oldie to merge the contexts. It's trivially easy to work/troll around a character limit, so lets dig into the actual concern here. Is it just mitre publishing |
I don't know if they're the only ones, but they have a metric butt-ton of them https://github.com/raw/jgamblin/cvelint-action/refs/heads/main/CNAReports/mitre.csv Edit: this report doesn't look at title or description, but the string "n/a" shows up 327,511 times just as a rough order of magnitude and all of those are for the "affected" product/version |
|
There's a lot going on in that csv and I see
In a purely technical sense the version string Also, perhaps my grep is failing me, but I don't actually see anything about Edit: Aaaaaaand I commented at the same time as your edit. |
Call me crazy, but I think a single character for a description isn't particularly useful. Let's say 5 characters. CWE-1 is five characters.
This PR is a little bit of a troll, but if we're going to be serious about encouraging quality records, a minimum standard for descriptions is just as good a place as any to start.