Auto-refreshing Official CVE Feed

[PushkarJ]

Enhancement Description

• One-line enhancement description (can be used as a release note): Auto-refreshing official CVE feed
• Slack thread about Code Freeze discussion: https://kubernetes.slack.com/archives/C2C40FMNF/p1659035059991979
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-security/3203-auto-refreshing-official-cve-feed
• Discussion Link: https://docs.google.com/document/d/1GgmmNYN88IZ2v2NBiO3gdU8Riomm0upge_XNVxEYXp0/edit#heading=h.ash02v8wrjia
• Primary contact (assignee): @PushkarJ
• Responsible SIGs: @kubernetes/sig-security
• Tracking issue: Create a periodically auto-refreshing list of fixed CVEs sig-security#1
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.25
  • Beta release target (x.y): 1.27
  • Stable release target (x.y):
• Alpha
  • KEP (k/enhancements) update PR(s): KEP-3203: Add Auto-refreshing Official CVE feed #3204
  • Code (k/k) update PR(s): N/A
  • Docs (k/website) update PR(s): [KEP-3203] Fetch and Render CVE JSON Feed website#35228
  • Org k/k8s.io PR(s): kubernetes-public: add bucket k8s-cve-feed k8s.io#4009
  • Infra k/test-infra PR(s):
    • [KEP-3203] Prow job to Push CVE feed to GCS bucket test-infra#26896
    • Fix typo for image:tag on k8s-cve-feed job test-infra#26988
    • Updates to fix k8s-cve-feed prow job failures test-infra#26990
  • Security k/sig-security PR(s):
    • [KEP-3203] Add hack script to generate CVE Feed sig-security#55
    • Install missing pip3 sig-security#57
  • Feature blog: Announce (auto-refreshing) Official CVE Feed alpha website#35608 and Implementing Official CVE Feed alpha contributor-site#330
• Beta
  • KEP (k/enhancements) update PR(s): KEP-3203: Alpha->Beta Graduation Updates #3828
  • Code (k/k) update PR(s): N/A
  • Docs (k/website) update(s):
    • Update CVE feed layouts for new JSON feed format website#38579
    • CVE feed: add RSS feed format website#39513
    • CVE feed cleanup on i18n data and shortcode compliance check website#39727
  • Security k/sig-security PR(s):
    • Fix CVE feed: comply with the JSON feed specifications and add the full JSON feed object in the script output to add last_updated root fields sig-security#76
    • Fix CVE feed: comply with the JSON feed specifications sig-security#75
    • CVE feed: Add a link to the testgrid.k8s.io prow job as metadata sig-security#83
  • Feature blog PR: Add Blog Post for KEP-3202 beta (CVE feed) website#39644

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

[PushkarJ]

/sig security docs

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[PushkarJ]

/remove-lifecycle stale

[jasonbraganza]

Hello @PushkarJ, @nehaLohia27 👋, 1.25 Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PST on Thursday June 16, 2022.

For note, This enhancement is targeting for stage alpha for 1.25 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP file using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable
• KEP has a updated detailed test plan section filled out
• KEP has up to date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements.

Looks like for this one, we would need to update the open PR #3204 with the following:

• Update the kep.yaml file to reflect the latest milestone information
• Please update the Test plan section, so that it incorporates the updated detailed test plan section requirements
• Please update the Graduation criteria section with appropriate details.

For note, the status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!