CVE Feed: Include a timestamp field for each CVE indicating when it was last updated

[Dentrax]

This is a Feature Request

-

What would you like to be added

https://kubernetes.io/docs/reference/issues-security/official-cve-feed/index.json

• Add lastUpdateTime timestamp field in the root.
• Add timestamp field to CVE entry

Why is this needed

In the current response, there is no lastUpdateTime field. So it's challenging to distinguish when the CVE Feed is actually updated or it's already up-to-date.

I think timestamp field is also necessary to indicate when the CVE is added to the feed. There could be a time-window between CVE discover time versus CVE added to feed time.

Alternative Solution:

Use RSS 2.0 standard instead for better scaling for further requirement needs.

Comments
-

cc @developer-guy

[k8s-ci-robot]

@Dentrax: This issue is currently awaiting triage.

SIG Docs takes a lead on issue triage for this website, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sftim]

/sig security

[sftim]

The timestamp could be the date time of issue creation (GitHub issues are the source of truth). lastUpdateTime sounds more tricky to implement, but would be possible I think.

[sftim]

timestamp could come from created_at in the GitHub Issues API
for lastUpdateTime, I'd take the maximum of updated_at from the GitHub Issues API, and the last update date for the JSON feed page. That way, if we change the feed rendering in the website, we can bump the last update date appropriately.

[Dentrax]

I can submit a PR for this if does it make sense overall. Where can I find the cve-feed-api source code? Any actions required in frontend? (i.e., adding new column for timestamp)

[sftim]

https://www.k8s.dev/blog/2022/09/12/k8s-cve-feed-alpha/ outlines the implementation @Dentrax

Given that this is relevant to #1, I will transfer this issue to that other repo:
/transfer sig-security

[sftim]

Once the upstream feed has this data, we may also want changes to k/website to make that last updated information available.

For example, we could calculate an overall last-updated for the whole feed, and put that onto https://kubernetes.io/docs/reference/issues-security/official-cve-feed/ as text.

[PushkarJ]

/retitle CVE Feed: Include a timestamp field for each CVE indicating when it was last updated

(Dividing the scope between this issue and #73 and #72)

[mtardy]

This would be trivial to implement after this one is merged #75.
I could do it quickly!
/assign

[mtardy]

/triage accepted

[mtardy]

I just added a commit to fix this in #75 (comment).

[PushkarJ]

Fixed by #76 via date_published field. Feel free to re-open if you think this needs more work to be resolved.

/close

[k8s-ci-robot]

@PushkarJ: Closing this issue.

In response to this:

Fixed by #76 via date_published field. Feel free to re-open if you think this needs more work to be resolved.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.