Open
Description
With growing number of eyes on Kubernetes, the number of CVEs related to Kubernetes have increased. Although most CVEs are regularly fixed that directly or indirectly or transitively impact Kubernetes, there is no single place to programmatically subscribe or pull the data of fixed CVEs, for the end users of Kubernetes.
Current State of the Art
All these options are broken or incomplete:
- RSS feed with google groups is broken: Kubernetes Security and Disclosure Information website#29142
- CVEDetails website seems to have incomplete data, with missing CVEs from 2021 and no mention of CVEs in base image or build time deps.
- This page: https://kubernetes.io/docs/reference/issues-security/issues/ links to a Github issue filter for CVE related fixes but is a broad search term
Metadata
Pre-requisites
- New label for officially announced CVEs by SRC test-infra#23428
- Search and Identify closed issues that have a CVE ID e.g. CVE-1001-12345 in the issue description or summary (This search filter is giving the most accurate data so far)
- Label those issues with
official-cve-feedusing https://docs.github.com/en/rest/reference/issues REST API - Add official-cve-feed label to new vulnerability announcement issues committee-security-response#133
Implementation Details
TestGrid for GCS Bucket is available here: https://testgrid.k8s.io/sig-security-cve-feed#auto-refreshing-official-cve-feed
Optional: Trigger k/website rebuild using netlify build-hook
Beta to GA Graduation Scope
- REQUEST: Migrate aquasecurity/vuln-list-k8s org#4873
- CVE-2023-5043 and CVE-2023-5044 missing from official list of vulnerabilities kubernetes#123964
- CVE feed doesn't include some vulnerabilities for in-project code website#45576
- CVE feed should update in near real time website#43968
- Publish CVE issue status in JSON CVE feed #98
### Alpha to Beta Graduation Scope
- [x] https://github.com/kubernetes/sig-security/issues/77
- [x] https://github.com/kubernetes/sig-security/issues/73
- [x] https://github.com/kubernetes/sig-security/issues/71
- [x] https://github.com/kubernetes/sig-security/issues/72
- [x] https://github.com/kubernetes/website/issues/36808
- [x] https://github.com/kubernetes/sig-security/issues/63
### Feedback since `beta` that is resolved
- [ ] https://github.com/kubernetes/sig-security/issues/97
- [ ] https://github.com/kubernetes/kubernetes/issues/118437
- [ ] https://github.com/kubernetes/sig-security/pull/92
- [ ] https://github.com/kubernetes/sig-security/pull/106
- [ ] https://github.com/kubernetes/sig-security/issues/85
- [ ] https://github.com/kubernetes/test-infra/pull/31076
Feedback received but that requires more engagement and participation
- Support similar feeds for all CNCF projects
Related Discussions
- Kubernetes vulnerability dashboard committee-security-response#57
- Create Security Bulletins page kubernetes#89130
- Slack thread: https://kubernetes.slack.com/archives/C8P1DRTJA/p1632909102076400
cc @sftim @tallclair @kubernetes/sig-security-leads @raesene
/committee product-security
/sig security docs release
Metadata
Metadata
Assignees
Labels
Denotes an issue or PR intended to be handled by the product security committee.Denotes an issue or PR has remained open with no activity and has become stale.Categorizes an issue or PR as relevant to SIG Docs.Categorizes an issue or PR as relevant to SIG Release.Categorizes an issue or PR as relevant to SIG Security.