Consistent field for summary of CVE

[IgorTodorovskiIBM]

Describe the bug
Can we use one field for the CVE details?
There currently seems to be two fields to get the summary: details and summary.

For example, git's cve only has a details field while curl's cve only has a summary field.

To Reproduce
For curl:

curl -d \
  '{"commit": "c3cc3e1da7716f9b4d941dba4c485962dd107d49"}' \
  "https://api.osv.dev/v1/query"  | jq '.vulns[0].summary'

For git:

curl -d \
  '{"commit": "c3cc3e1da7716f9b4d941dba4c485962dd107d49"}' \
  "https://api.osv.dev/v1/query"  | jq '.vulns[0].details'

Expected behaviour
Can we have one consistent field to describe the CVE?

[andrewpollock]

Hi @IgorTodorovskiIBM

(both your examples cite the same commit hash, so I'm not sure which record you were referring to for your curl example, so I'll pick one at random)

For CVEs converted from the NVD, such as CVE-2019-1387, there is no summary-equivalent available, so they are omitted when the resulting OSV record is generated. I'm not sure about the utility of duplicating the entire details field into the summary field, as this feels like it's not in the spirit of how that field is intended to be used: https://ossf.github.io/osv-schema/#summary-details-fields

For a curl supplied OSV record, such as CURL-CVE-2024-0853, I can see both a summary and details field supplied at https://curl.se/docs/CVE-2024-0853.json and also served by the OSV.dev API at https://api.osv.dev/v1/vulns/CURL-CVE-2024-0853

Could you speak more to the use case that the current arrangement is not meeting? I'm wondering if you should be relying on the https://ossf.github.io/osv-schema/#aliases-field and https://ossf.github.io/osv-schema/#related-field fields if you're trying to do record correlation?