[KEP-3203] Add hack script to generate CVE Feed

sig-security-tooling/cve-feed/hack/.gitignore

@@ -0,0 +1,3 @@
+#files generated by cve feed prow job
+cve-feed-hash
+official-cve-feed.json

sig-security-tooling/cve-feed/hack/fetch-cve-feed.sh

@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+# Copyright 2022 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+#install requests module
+pip3 install requests
+
+#python script to generate official-cve-feed.json 
+python3 fetch-official-cve-feed.py
+
+#function to calculate the hash value of official-cve-feed.json 
+calculate_hash(){
+    if command -v shasum >/dev/null 2>&1; then
+    cat "$@" | shasum -a 256 | cut -d' ' -f1
+    elif command -v sha256sum >/dev/null 2>&1; then
+    cat "$@" | sha256sum | cut -d' ' -f1
+    else
+    echo "missing shasum tool" 1>&2
+    exit 1
+    fi
+}
+
+#check if official-cve-feed.json blob exists in the bucket
+set -e
+EXIT_CODE=0
+gsutil ls gs://k8s-cve-feed/official-cve-feed.json >/dev/null 2>&1 || EXIT_CODE=$?
+
+#fetch the hash value of existing official-cve-feed.json json, if differs then upload the new cve feed data to the existing blob.
+if [[ $EXIT_CODE -eq 1  ]]; then 
+    gsutil cp official-cve-feed.json gs://k8s-cve-feed
+    calculate_hash official-cve-feed.json > cve-feed-hash
+    echo "$(<cve-feed-hash )"
+    gsutil cp cve-feed-hash gs://k8s-cve-feed
+else 
+    echo "Downloading the old hash blob from gcs bucket"
+    gsutil cp gs://k8s-cve-feed/cve-feed-hash cve-feed-hash
+    hash=$(<cve-feed-hash )
+    echo "old hash value: $hash"
+    echo "Calculate the new hash value of json feed"
+    new_hash=$(calculate_hash official-cve-feed.json)
+    echo "new hash value : $new_hash "
+    printf "$new_hash" > cve-feed-hash
+
+    if [[  $hash == $new_hash ]]; then
+        printf "Both the hashes have identical contents"
+    else
+        printf "Both the hash value differ \n"
+        echo "Uploading the new json feed and hash value to gcs bucket \n"
+        gsutil cp official-cve-feed.json gs://k8s-cve-feed
+        gsutil cp cve-feed-hash gs://k8s-cve-feed/cve-feed-hash
+    fi
+fi
+
+

sig-security-tooling/cve-feed/hack/fetch-official-cve-feed.py

@@ -0,0 +1,56 @@
+#!/usr/bin/env python3
+
+# Copyright 2022 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import json
+import requests
+
+url = 'https://api.github.com/search/issues?q=is:issue+label:official-cve-feed+\
+state:closed+repo:kubernetes/kubernetes'
+headers = {'Accept': 'application/vnd.github.v3+json'}
+res = requests.get(url, headers=headers)
+cve_arr = res.json()
+
+cve_list = []
+
+for item in cve_arr['items']:
+    cve = {"issue_url": None, "number": None, "cve_id": None,
+           "summary": None, "cve_url": None, "google_group_url": None}
+    cve['issue_url'] = item['html_url']
+    cve['number'] = item['number']
+    title = item['title'].replace(" -", ":")
+    title = title.split(": ")
+    if len(title) == 1:
+        cve_id = None
+        cve['cve_id'] = None
+        cve['cve_url'] = None
+        cve['summary'] = title[0]
+        cve['google_group_url'] = None
+    else:
+        cve_id = title[0]
+        cve['cve_id'] = title[0]
+        if len(title) == 3:
+            cve['summary'] = title[2]
+        else:
+            cve['summary'] = title[1]
+        cve['cve_url'] = f"https://www.cvedetails.com/cve-details.php?cve_id={cve_id}"
+        cve['google_group_url'] = \
+        f"https://groups.google.com/g/kubernetes-announce/search?q={cve_id}"
+    cve_list.append(cve)
+cves = json.dumps(cve_list, sort_keys=True, indent=4)
+print(cves)
+# write the final cve list to official_cve_feed.json
+with open("official-cve-feed.json", "w") as cvejson:
+    cvejson.write(cves)