Auto-refreshing Official CVE Feed

[PushkarJ]

Enhancement Description

• One-line enhancement description (can be used as a release note): Auto-refreshing official CVE feed
• Slack thread about Code Freeze discussion: https://kubernetes.slack.com/archives/C2C40FMNF/p1659035059991979
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-security/3203-auto-refreshing-official-cve-feed
• Discussion Link: https://docs.google.com/document/d/1GgmmNYN88IZ2v2NBiO3gdU8Riomm0upge_XNVxEYXp0/edit#heading=h.ash02v8wrjia
• Primary contact (assignee): @PushkarJ
• Responsible SIGs: @kubernetes/sig-security
• Tracking issue: Create a periodically auto-refreshing list of fixed CVEs sig-security#1
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.25
  • Beta release target (x.y):
  • Stable release target (x.y):
• Alpha
  • KEP (k/enhancements) update PR(s): KEP-3203: Add Auto-refreshing Official CVE feed #3204
  • Code (k/k) update PR(s): N/A
  • Docs (k/website) update PR(s): [KEP-3203] Fetch and Render CVE JSON Feed website#35228
  • Org k/k8s.io PR(s): kubernetes-public: add bucket k8s-cve-feed k8s.io#4009
  • Infra k/test-infra PR(s):
    • [KEP-3203] Prow job to Push CVE feed to GCS bucket test-infra#26896
    • Fix typo for image:tag on k8s-cve-feed job test-infra#26988
    • Updates to fix k8s-cve-feed prow job failures test-infra#26990
  • Security k/sig-security PR(s):
    • [KEP-3203] Add hack script to generate CVE Feed sig-security#55
    • Install missing pip3 sig-security#57
• Feature blog: Announce (auto-refreshing) Official CVE Feed alpha website#35608 and Implementing Official CVE Feed alpha contributor-site#330

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

[PushkarJ]

/sig security docs

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[PushkarJ]

/remove-lifecycle stale

[jasonbraganza]

Hello @PushkarJ, @nehaLohia27 👋, 1.25 Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PST on Thursday June 16, 2022.

For note, This enhancement is targeting for stage alpha for 1.25 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP file using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable
• KEP has a updated detailed test plan section filled out
• KEP has up to date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements.

Looks like for this one, we would need to update the open PR #3204 with the following:

• Update the kep.yaml file to reflect the latest milestone information
• Please update the Test plan section, so that it incorporates the updated detailed test plan section requirements
• Please update the Graduation criteria section with appropriate details.

For note, the status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[PushkarJ]

Thank you for the detailed feedback @jasonbraganza . I believe the latest updates to PR #3204 should resolve the pending items. Please let us know if anything else is missing!

[jasonbraganza]

Thank you so much, @PushkarJ! I’ll update the KEP in our enhancements sheet to tracked

[Atharva-Shinde]

Hi @PushkarJ, Enhancements team here again 👋

Checking in as we approach Code Freeze at 01:00 UTC on Wednesday, 3rd August 2022.

Please ensure that the following items are completed before the code-freeze:

• All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• All PRs are fully merged by the code freeze deadline.

Currently, the status of the enhancement is marked as at-risk

Thanks :)

[PushkarJ]

Thanks for the reminder @Atharva-Shinde. Added all the relevant PRs in the issue description now :)

[cici37]

The relevant PRs against this KEP:

• Docs (k/website) update PR(s): [KEP-3203] Fetch and Render CVE JSON Feed website#35228
• Org k/k8s.io PR(s): kubernetes-public: add bucket k8s-cve-feed k8s.io#4009 and
• Infra k/test-infra PR(s): [KEP-3203] Prow job to Push CVE feed to GCS bucket test-infra#26896
  For tracking purpose. cc @Priyankasaggu11929

[Priyankasaggu11929]

@PushkarJ I have marked this enhancement as tracked. 🙂

[PushkarJ]

Thank you @Priyankasaggu11929 and @cici37

[PushkarJ]

@Priyankasaggu11929 @cici37 all PRs except kubernetes/website#35228 are now merged !!!

[PushkarJ]

All PRs are merged! Working on feature blog now: kubernetes/website#35608

[PushkarJ]

✨ Kubernetes v1.25 is live ✨

What that means is that the official CVE feed built as part of KEP-3203 is live too. You can find it here:

• Markdown: https://kubernetes.io/docs/reference/issues-security/official-cve-feed
• JSON: https://kubernetes.io/docs/reference/issues-security/official-cve-feed/index.json

Upcoming blog posts to be published on Sept 12 will cover more details