Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

minor loss of backward compatibility for arrays in 2.3.3 #1266

Open
ElectricNroff opened this issue Aug 8, 2024 · 0 comments
Open

minor loss of backward compatibility for arrays in 2.3.3 #1266

ElectricNroff opened this issue Aug 8, 2024 · 0 comments
Labels
code quality

Comments

@ElectricNroff
Copy link
Contributor

The intention of #1125 in https://github.com/CVEProject/cve-services/releases/tag/v2.3.3 was to adjust whitespace in a way that is compatible with normal CNA activity. However, there is a potential complication that, if CVE Services already stored a 5.1-compliant document, and the CNA is trying to update it to another 5.1-compliant document (with a change in a location that's unrelated to any whitespace), then an API call may fail. This is not documented, and could be potentially disruptive to a CNA that needs to make a critical update quickly.

For example:

{"cnaContainer":{"affected": [{"vendor": "v","product": "p",
"platforms":["HAL 9000", "HAL 9000 "],
"defaultStatus": "affected"}],
"descriptions": [{"lang": "en","value": "abc def ghi"}],
"references": [{"url": "https://example.com/r"}]}}

fails with:

{"error":"INVALID_JSON_SCHEMA","message":"CVE cnaContainer JSON schema validation FAILED.",
"details":{"errors":[{"instancePath":"/cnaContainer/affected/0/platforms","schemaPath":
"#/properties/platforms/uniqueItems","keyword":"uniqueItems","params":{"i":0,"j":1},"message":
"must NOT have duplicate items (items ## 1 and 0 are identical)"}]}}

because the trailing whitespace in the second instance of HAL 9000 is removed by the server before schema validation.

(This would also fail in a POST request for a new CVE Record, but it's perhaps more surprising that it fails during a PUT request to make an unrelated update.)

Workarounds could include:

  • the Secretariat could proactively scan the entire CVE List to identify (or possibly "repair") CNA containers that have array elements differing only in whitespace - this is not hypothetical: it needed to be done once today; see the top of CVEProject/cvelistV5@d42805d
  • the CVE Services server could automatically remove these types of duplicate array elements in any container when the container is submitted, e.g., automatically change it to "platforms":["HAL 9000"] in the example above
  • the 2.3.3 release notes could be updated to inform readers of the behavior mentioned in this issue
  • other documentation could be updated to inform CNAs that, even if a container complies with the 5.1 schema, a POST or PUT request may fail because the CVE Record is modified by the server before schema validation occurs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
code quality
Projects
Issue Triage
Status: Needs Triage
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jdaigneau5 @ElectricNroff