-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create a periodically auto-refreshing list of fixed CVEs #1
Comments
Isn't this the problemspace https://osv.dev/ exists for? :) |
/assign @PushkarJ |
@coderanger https://osv.dev/ seems like a cool project, I did not know about this before :) I tried searching for kubernetes there and found one result. Maybe potential outcome of this exercise is a database (generated JSON doc) that can be consumed by https://osv.dev/ so users can use it to find out if their kubernetes version is impacted by any CVE or not. |
/transfer sig-security |
We can almost certainly also consume that through Hugo and render a summary on https://k8s.io/ |
@tabbysable @tallclair as SIG Security and SRC members, can you please confirm that you are in favor of this feature by commenting |
The fixes that require adding "fresh" fields at the root of the object like:
would need to actually output the whole object from the script, thus removing the static part from the website: We will need some synchronization during the merge. I created the following PRs that (if correct) should be merged sensibly at the same time, first the ones from k/sig-security then k/website: |
For the update, we merged:
So now the CVE feed is JSON feed compliant, RSS compliant and has a top level |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
Still working on this, until we are GA; currently at beta /remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
Exciting updates coming soon /remove-lifecycle stale |
Hi @PushkarJ could you provide an update on where things are at here? |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
/remove-lifecycle rotten |
Discussed in today's Tooling meeting modifying the GA roadmap to replace "near-real-time update" milestone with "known and acceptable maximum delay", possibly including an ad-hoc refresh of the feed during CVE publication by SRC. We are investigating. |
If you (SRC) want to be able to trigger a website build, we (SIG Docs / K8s infra) can give you a webhook or something similar. Either for manual use, automation, or a mix. |
Also see kubernetes/website#43968 about options for near-realtime updates. |
After discussion in the SIG security tooling meeting, we think the simplest solution would be to call a webhook to trigger the website build (like in k/website workflows) from the CVE feed generation script (this script) since it already knows when there's an update. The main difficulty would be to have a token at our disposal in the prow job that can call this webhook. Do you think it would be a good idea, and if so who can we contact to make it happen? |
@mtardy SIG Docs! Try the Slack channel, but filing an issue against k/website would be best. BTW, if there's any eventual consistency to account for with the object storage - let's account for it. |
With growing number of eyes on Kubernetes, the number of CVEs related to Kubernetes have increased. Although most CVEs are regularly fixed that directly or indirectly or transitively impact Kubernetes, there is no single place to programmatically subscribe or pull the data of fixed CVEs, for the end users of Kubernetes.
Current State of the Art
All these options are broken or incomplete:
Metadata
Pre-requisites
official-cve-feed
using https://docs.github.com/en/rest/reference/issues REST APIImplementation Details
https://github.com/kubernetes/enhancements/tree/master/keps/sig-security/3203-auto-refreshing-official-cve-feed
TestGrid for GCS Bucket is available here: https://testgrid.k8s.io/sig-security-cve-feed#auto-refreshing-official-cve-feed
Optional: Trigger
k/website
rebuild using netlify build-hookBeta to GA Graduation Scope
Alpha to Beta Graduation Scope
lastUpdatedAt
as a metadata field #72Feedback since
beta
that is resolvedFeedback received but that requires more engagement and participation
Related Discussions
cc @sftim @tallclair @kubernetes/sig-security-leads @raesene
/committee product-security
/sig security docs release
The text was updated successfully, but these errors were encountered: