Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create a periodically auto-refreshing list of fixed CVEs #1

Open
12 tasks done
Tracked by #3
PushkarJ opened this issue Jul 30, 2021 · 44 comments
Open
12 tasks done
Tracked by #3

Create a periodically auto-refreshing list of fixed CVEs #1

PushkarJ opened this issue Jul 30, 2021 · 44 comments
Assignees
@PushkarJ @nehaLohia27
Labels
committee/security-response Denotes an issue or PR intended to be handled by the product security committee. sig/docs Categorizes an issue or PR as relevant to SIG Docs. sig/release Categorizes an issue or PR as relevant to SIG Release. sig/security Categorizes an issue or PR as relevant to SIG Security.

Comments

@PushkarJ
Copy link
Member

PushkarJ commented Jul 30, 2021
edited
Loading

With growing number of eyes on Kubernetes, the number of CVEs related to Kubernetes have increased. Although most CVEs are regularly fixed that directly or indirectly or transitively impact Kubernetes, there is no single place to programmatically subscribe or pull the data of fixed CVEs, for the end users of Kubernetes.

Current State of the Art

All these options are broken or incomplete:

  1. RSS feed with google groups is broken: Kubernetes Security and Disclosure Information website#29142
  2. CVEDetails website seems to have incomplete data, with missing CVEs from 2021 and no mention of CVEs in base image or build time deps.
  3. This page: https://kubernetes.io/docs/reference/issues-security/issues/ links to a Github issue filter for CVE related fixes but is a broad search term

Metadata

Pre-requisites

Implementation Details

https://github.com/kubernetes/enhancements/tree/master/keps/sig-security/3203-auto-refreshing-official-cve-feed

TestGrid for GCS Bucket is available here: https://testgrid.k8s.io/sig-security-cve-feed#auto-refreshing-official-cve-feed

Optional: Trigger k/website rebuild using netlify build-hook

Beta to GA Graduation Scope

Alpha to Beta Graduation Scope
Preview Give feedback
  1. Support RSS feeds by generating data in Atom format #77
    sig/docs sig/security triage/accepted
    mtardy
  2. CVE Feed: Sort Markdown Table from most recent to least recently announced CVE #73
  3. CVE Feed: Add Prow job link as a metadata field #71
    kind/feature sig/docs sig/security triage/accepted
    mtardy
  4. CVE Feed: Add lastUpdatedAt as a metadata field #72
    kind/feature sig/docs sig/security triage/accepted
    mtardy
  5. CVE Feed: JSON feed should pass jsonfeed spec validator website#36808
    kind/bug priority/important-longterm sig/security triage/accepted
    mtardy
  6. CVE Feed: Include a timestamp field for each CVE indicating when it was last updated #63
    kind/feature needs-triage sig/security triage/accepted
    mtardy

Feedback since beta that is resolved
Preview Give feedback
  1. Include open issues in official CVE feed #97
  2. CVE feed title doesn't mention project kubernetes#118437
    kind/bug sig/security triage/accepted
  3. Update RSS feed title #92
    approved cncf-cla: yes lgtm size/XS
    PushkarJ
  4. Remove the must be closed requirement in CVE feed #106
    approved cncf-cla: yes lgtm sig/security size/XS
  5. Bug: Unbound variable in vulnerability scanning script #85
    help wanted kind/bug sig/k8s-infra sig/security sig/testing
    carlory
  6. Reduce curl calls to GH by eliminating duplicate CVEs test-infra#31076
    approved area/config area/jobs cncf-cla: yes lgtm ok-to-test sig/k8s-infra sig/testing size/XS
    PushkarJ

Feedback received but that requires more engagement and participation

  • Support similar feeds for all CNCF projects

Related Discussions

cc @sftim @tallclair @kubernetes/sig-security-leads @raesene

/committee product-security
/sig security docs release
@coderanger
Copy link
Member

Isn't this the problemspace https://osv.dev/ exists for? :)

@PushkarJ
Copy link
Member Author

/assign @PushkarJ

@PushkarJ
Copy link
Member Author

@coderanger https://osv.dev/ seems like a cool project, I did not know about this before :) I tried searching for kubernetes there and found one result. Maybe potential outcome of this exercise is a database (generated JSON doc) that can be consumed by https://osv.dev/ so users can use it to find out if their kubernetes version is impacted by any CVE or not.

@PushkarJ
Copy link
Member Author

/transfer sig-security

@k8s-ci-robot k8s-ci-robot transferred this issue from kubernetes/community Sep 14, 2021
@k8s-ci-robot k8s-ci-robot added committee/security-response Denotes an issue or PR intended to be handled by the product security committee. sig/security Categorizes an issue or PR as relevant to SIG Security. sig/docs Categorizes an issue or PR as relevant to SIG Docs. sig/release Categorizes an issue or PR as relevant to SIG Release. labels Sep 14, 2021
@sftim
Copy link
Contributor

sftim commented Sep 14, 2021

generated JSON doc

We can almost certainly also consume that through Hugo and render a summary on https://k8s.io/

@PushkarJ
Copy link
Member Author

@tabbysable @tallclair as SIG Security and SRC members, can you please confirm that you are in favor of this feature by commenting +1 to this issue. The progress on this issue is currently blocked, because of missing written consensus from SIG-Security and SRC as per this comment

@PushkarJ PushkarJ mentioned this issue Sep 23, 2021
Closed
@PushkarJ PushkarJ mentioned this issue Oct 5, 2021
Merged
This was referenced Dec 2, 2021
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Oct 14, 2022
Closed
Closed
Closed
Closed
Closed
@mtardy
Copy link
Member

mtardy commented Dec 20, 2022
edited
Loading

The fixes that require adding "fresh" fields at the root of the object like:

would need to actually output the whole object from the script, thus removing the static part from the website:
https://github.com/kubernetes/website/blob/cafe6d258c91c3814d83c0655c8c6354e3eade1c/layouts/_default/cve-feed.json

We will need some synchronization during the merge.

I created the following PRs that (if correct) should be merged sensibly at the same time, first the ones from k/sig-security then k/website:

@PushkarJ PushkarJ mentioned this issue Feb 2, 2023
Merged
@mtardy
Copy link
Member

mtardy commented Mar 14, 2023

For the update, we merged:

So now the CVE feed is JSON feed compliant, RSS compliant and has a top level last_updated field.

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 12, 2023
@PushkarJ
Copy link
Member Author

Still working on this, until we are GA; currently at beta

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 13, 2023
This was referenced Nov 27, 2023
Closed
Open
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 20, 2024
@PushkarJ
Copy link
Member Author

Exciting updates coming soon

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 21, 2024
@PushkarJ PushkarJ mentioned this issue May 26, 2024
Open
@sftim sftim mentioned this issue Jun 2, 2024
Open
@andrewpollock
Copy link

Hi @PushkarJ could you provide an update on where things are at here?

@cji cji mentioned this issue Nov 18, 2024
Open
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 18, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Dec 18, 2024
@tabbysable
Copy link
Member

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Jan 3, 2025
@tabbysable
Copy link
Member

Discussed in today's Tooling meeting modifying the GA roadmap to replace "near-real-time update" milestone with "known and acceptable maximum delay", possibly including an ad-hoc refresh of the feed during CVE publication by SRC.

We are investigating.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@PushkarJ PushkarJ

@nehaLohia27 nehaLohia27

Labels
committee/security-response Denotes an issue or PR intended to be handled by the product security committee. sig/docs Categorizes an issue or PR as relevant to SIG Docs. sig/release Categorizes an issue or PR as relevant to SIG Release. sig/security Categorizes an issue or PR as relevant to SIG Security.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests