[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE ID Syntax Vote - results and next steps



On 2013-04-25 04:17, Booth, Harold wrote:

>   * Do you desire a static length of the CVE Ids?
>
> Yes, a specified maximum length is much easier to write parsing and
> validation logic for and at the end of the day everyone will have to
> decide on some sort of cut-off.

I'm not expressing a preference, but is a null-terminated string any 
harder to parse?  'CVE-' or 'CVE-YYYY-' or 'CVE' is the start of the 
string, read until the end, you now have your ID.

> - Any comment on Adam’s suggestion of trailing zeros?
>
> It is ambiguous for numbers divisible by ten, for example imagine if CVE
> today had trailing instead of leading zeros and we had the following number:
>
> 1000
>
> Is this a 1 with three trailing zeros? A 10 with two trailing zeros? A
> 100 with one trailing zero? or 1000 with no trailing zeros?

Seems pretty clear it's 1000 (one thousand) with no trailing zeros, 
positional notation and all, if the ID is a number leading zeros are 
decoration only, trailing zeros matter.

And, treat the ID as a string!  Even a string that you can safely expect 
to be digits, like this regex I looked up on stackoverflow: ^[0-9]{1,6}$

If IDs are variable length strings and there are no special formatting 
rules, then CVE-1999-00100 and CVE-1999-0100 are different...

I guess there's a desire to keep the ID an integer, issued more or less 
sequentially?  This isn't really related to the syntax change, unless 
treating the ID as a string affects the leading/trailing zeros


  - Art



Page Last Updated or Reviewed: October 03, 2014