Auto-refreshing Official CVE Feed

[PushkarJ]

Enhancement Description

• One-line enhancement description (can be used as a release note): Auto-refreshing official CVE feed
• Slack thread about Code Freeze discussion: https://kubernetes.slack.com/archives/C2C40FMNF/p1659035059991979
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-security/3203-auto-refreshing-official-cve-feed
• Discussion Link: https://docs.google.com/document/d/1GgmmNYN88IZ2v2NBiO3gdU8Riomm0upge_XNVxEYXp0/edit#heading=h.ash02v8wrjia
• Primary contact (assignee): @PushkarJ
• Responsible SIGs: @kubernetes/sig-security
• Tracking issue: Create a periodically auto-refreshing list of fixed CVEs sig-security#1
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.25
  • Beta release target (x.y): 1.27
  • Stable release target (x.y):
• Alpha
  • KEP (k/enhancements) update PR(s): KEP-3203: Add Auto-refreshing Official CVE feed #3204
  • Code (k/k) update PR(s): N/A
  • Docs (k/website) update PR(s): [KEP-3203] Fetch and Render CVE JSON Feed website#35228
  • Org k/k8s.io PR(s): kubernetes-public: add bucket k8s-cve-feed k8s.io#4009
  • Infra k/test-infra PR(s):
    • [KEP-3203] Prow job to Push CVE feed to GCS bucket test-infra#26896
    • Fix typo for image:tag on k8s-cve-feed job test-infra#26988
    • Updates to fix k8s-cve-feed prow job failures test-infra#26990
  • Security k/sig-security PR(s):
    • [KEP-3203] Add hack script to generate CVE Feed sig-security#55
    • Install missing pip3 sig-security#57
  • Feature blog: Announce (auto-refreshing) Official CVE Feed alpha website#35608 and Implementing Official CVE Feed alpha contributor-site#330
• Beta
  • KEP (k/enhancements) update PR(s): KEP-3203: Alpha->Beta Graduation Updates #3828
  • Code (k/k) update PR(s): N/A
  • Docs (k/website) update(s):
    • Update CVE feed layouts for new JSON feed format website#38579
    • CVE feed: add RSS feed format website#39513
    • CVE feed cleanup on i18n data and shortcode compliance check website#39727
  • Security k/sig-security PR(s):
    • Fix CVE feed: comply with the JSON feed specifications and add the full JSON feed object in the script output to add last_updated root fields sig-security#76
    • Fix CVE feed: comply with the JSON feed specifications sig-security#75
    • CVE feed: Add a link to the testgrid.k8s.io prow job as metadata sig-security#83
  • Feature blog PR: Add Blog Post for KEP-3202 beta (CVE feed) website#39644

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

[PushkarJ]

/sig security docs

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[PushkarJ]

/remove-lifecycle stale

[jasonbraganza]

Hello @PushkarJ, @nehaLohia27 👋, 1.25 Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PST on Thursday June 16, 2022.

For note, This enhancement is targeting for stage alpha for 1.25 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP file using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable
• KEP has a updated detailed test plan section filled out
• KEP has up to date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements.

Looks like for this one, we would need to update the open PR #3204 with the following:

• Update the kep.yaml file to reflect the latest milestone information
• Please update the Test plan section, so that it incorporates the updated detailed test plan section requirements
• Please update the Graduation criteria section with appropriate details.

For note, the status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[PushkarJ]

Thank you for the detailed feedback @jasonbraganza . I believe the latest updates to PR #3204 should resolve the pending items. Please let us know if anything else is missing!

[jasonbraganza]

Thank you so much, @PushkarJ! I’ll update the KEP in our enhancements sheet to tracked

[Atharva-Shinde]

Hi @PushkarJ, Enhancements team here again 👋

Checking in as we approach Code Freeze at 01:00 UTC on Wednesday, 3rd August 2022.

Please ensure that the following items are completed before the code-freeze:

• All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• All PRs are fully merged by the code freeze deadline.

Currently, the status of the enhancement is marked as at-risk

Thanks :)

[PushkarJ]

Thanks for the reminder @Atharva-Shinde. Added all the relevant PRs in the issue description now :)

[cici37]

The relevant PRs against this KEP:

• Docs (k/website) update PR(s): [KEP-3203] Fetch and Render CVE JSON Feed website#35228
• Org k/k8s.io PR(s): kubernetes-public: add bucket k8s-cve-feed k8s.io#4009 and
• Infra k/test-infra PR(s): [KEP-3203] Prow job to Push CVE feed to GCS bucket test-infra#26896
  For tracking purpose. cc @Priyankasaggu11929

[Priyankasaggu11929]

@PushkarJ I have marked this enhancement as tracked. 🙂

[PushkarJ]

Thank you @Priyankasaggu11929 and @cici37

[sftim]

💭 we can - if we're sure we want to - publish our advisories to https://github.com/kubernetes/kubernetes/security/advisories

it's not as simple because we have lots of repos but only one official CVE ID list.

[sftim]

The CVE feed is now a valid JSON feed. See https://kubernetes.io/docs/reference/issues-security/official-cve-feed/

[PushkarJ]

Yes @sftim !! Big 👍 to @mtardy

To clarify the feed was a valid JSON before too but didn't conform to JSONFeed Spec.

Now it is indeed valid: https://validator.jsonfeed.org/?url=https%3A%2F%2Fkubernetes.io%2Fdocs%2Freference%2Fissues-security%2Fofficial-cve-feed%2Findex.json

[Atharva-Shinde]

Hey again @PushkarJ 👋 Enhancements team here,
Just checking in as we approach 1.27 code freeze at 17:00 PDT on Tuesday 14th March 2023.
As this is an out of tree enhancement please ensure that all the PRs related to this KEP are linked in the Issue description.
And as always, we are here to help if any questions come up. Thanks!

[PushkarJ]

Thank you @Atharva-Shinde. Updated the description to include all relevant PRs.

[mickeyboxell]

@PushkarJ was there a Docs PR opened against dev-1.27 branch in the k/website repo?

If not, please take a look at Documenting for a release - PR Ready for Review to get your PR ready for review as soon as possible. 01:00 UTC Wednesday 22nd March 2023 / 17:00 PDT Tuesday 21st March 2023 is the official deadline.

This PR will need a doc review by Tuesday 4th April 2023 to get this into the release. Please reach out to required SIGs to get their review. Thank you!

[mickeyboxell]

As discussed in Slack, this does not need a 1.27 Docs PR because its Docs PRs are targeted to master / main branch.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[tabbysable]

/remove-lifecycle rotten

[sftim]

What should be in scope for the CVE feed? See kubernetes/website#45576 for context.

---

Do we list all vulnerabilities, or just the ones that are vulnerabilities in k/k?

[PushkarJ]

Thanks @sftim I have added this in scope for beta-> GA graduation. More Intuittive path right now to me seems to be that SIG Security Tooling maintainers create a duplicate issue in k/k with the right labels linking the one created by SRC. I have proposed it in kubernetes/kubernetes#123964 (comment) to get feedback from SRC on this

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[sftim]

/remove-lifecycle rotten
/lifecycle stale

We should progress this (or drop the existing feed 😬)

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten