Specifiy CVE Description Format

[jgamblin]

More and More CVES are starting to contain hidden formatting characters and extra spaces that should likely be supported on CVE.org, or the schema should specify that the description is a unicode string.

I will use CVE-2024-44995 as an example of this issue:

As submitted in the JSON File:

In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix a deadlock problem when config TC during resetting\n\nWhen config TC during the reset process, may cause a deadlock, the flow is\nas below:\n                             pf reset start\n                                 │\n                                 ▼\n                              ......\nsetup tc                         │\n    │                            ▼\n    ▼                      DOWN: napi_disable()\nnapi_disable()(skip)             │\n    │                            │\n    ▼                            ▼\n  ......                      ......\n    │                            │\n    ▼                            │\nnapi_enable()                    │\n                                 ▼\n                           UINIT: netif_napi_del()\n                                 │\n                                 ▼\n                              ......\n                                 │\n                                 ▼\n                           INIT: netif_napi_add()\n                                 │\n                                 ▼\n                              ......                 global reset start\n                                 │                      │\n                                 ▼                      ▼\n                           UP: napi_enable()(skip)    ......\n                                 │                      │\n                                 ▼                      ▼\n                              ......                 napi_disable()\n\nIn reset process, the driver will DOWN the port and then UINIT, in this\ncase, the setup tc process will UP the port before UINIT, so cause the\nproblem. Adds a DOWN process in UINIT to fix it."

As Rendered in Text:

As Rendered on CVE.org:

Here is a CSV with CVEs that are causing the most issues matching against a string:
SpecialDescription.csv

[ccoffin]

I think this probably needs to be submitted here: https://github.com/CVEProject/cve-website/issues.

[jgamblin]

@ccoffin, should the schema not specify the description's length or type as a plain text string, or should \n, \t, and extra white spaces and emojis be allowed in descriptions?

I am unsure if these 50+ CVEs are skirting an unenforced requirement or if no one is displaying them correctly.

[alilleybrinker]

One way of viewing this issue would be that some CNAs are submitting strings with an expectation that they're rendered (in web parlance) as "preformatted" blocks, but https://cve.org renders them as regular paragraph tags.

In that case, two more options come to mind:

• Add a field for CNAs to indicate that the description is preformatted, so https://cve.org can know to render it as preformatted.
• Have https://cve.org infer whether to render as preformatted based on the presence of whitespace characters like \n and \t.