Create a periodically auto-refreshing list of fixed CVEs

[PushkarJ]

With growing number of eyes on Kubernetes, the number of CVEs related to Kubernetes have increased. Although most CVEs are regularly fixed that directly or indirectly or transitively impact Kubernetes, there is no single place to programmatically subscribe or pull the data of fixed CVEs, for the end users of Kubernetes.

Current State of the Art

All these options are broken or incomplete:

1. RSS feed with google groups is broken: Kubernetes Security and Disclosure Information website#29142
2. CVEDetails website seems to have incomplete data, with missing CVEs from 2021 and no mention of CVEs in base image or build time deps.
3. This page: https://kubernetes.io/docs/reference/issues-security/issues/ links to a Github issue filter for CVE related fixes but is a broad search term

Metadata

• Issue: Auto-refreshing Official CVE Feed enhancements#3203

Pre-requisites

• New label for officially announced CVEs by SRC test-infra#23428
• Search and Identify closed issues that have a CVE ID e.g. CVE-1001-12345 in the issue description or summary (This search filter is giving the most accurate data so far)
• Label those issues with official-cve-feed using https://docs.github.com/en/rest/reference/issues REST API
• Add official-cve-feed label to new vulnerability announcement issues committee-security-response#133

Implementation Details

https://github.com/kubernetes/enhancements/tree/master/keps/sig-security/3203-auto-refreshing-official-cve-feed

TestGrid for GCS Bucket is available here: https://testgrid.k8s.io/sig-security-cve-feed#auto-refreshing-official-cve-feed

Optional: Trigger k/website rebuild using netlify build-hook

Beta to GA Graduation Scope

• REQUEST: Migrate aquasecurity/vuln-list-k8s org#4873
• CVE-2023-5043 and CVE-2023-5044 missing from official list of vulnerabilities kubernetes#123964
• CVE feed doesn't include some vulnerabilities for in-project code website#45576
• CVE feed should update in near real time website#43968
• Add near-live refresh for CVE feed page website#44074
• Publish CVE issue status in JSON CVE feed #98
• Render a page for each known K8s vulnerability using a content adapter website#46623

Alpha to Beta Graduation Scope

Beta Give feedback

1. Support RSS feeds by generating data in Atom format #77
   sig/docs sig/security triage/accepted +3
   
2. CVE Feed: Sort Markdown Table from most recent to least recently announced CVE #73
   +0
3. CVE Feed: Add Prow job link as a metadata field #71
   kind/feature sig/docs sig/security triage/accepted +4
   
4. CVE Feed: Add lastUpdatedAt as a metadata field #72
   kind/feature sig/docs sig/security triage/accepted +4
   
5. CVE Feed: JSON feed should pass jsonfeed spec validator website#36808
   kind/bug priority/important-longterm sig/security triage/accepted +4
   
6. CVE Feed: Include a timestamp field for each CVE indicating when it was last updated #63
   kind/feature needs-triage sig/security triage/accepted +4
   

Feedback since beta that is resolved

Beta Give feedback

1. Include open issues in official CVE feed #97
   +0
2. CVE feed title doesn't mention project kubernetes#118437
   kind/bug sig/security triage/accepted +3
3. Update RSS feed title #92
   approved cncf-cla: yes lgtm size/XS +4
   
4. Remove the must be closed requirement in CVE feed #106
   approved cncf-cla: yes lgtm sig/security size/XS +5
5. Bug: Unbound variable in vulnerability scanning script #85
   help wanted kind/bug sig/k8s-infra sig/security sig/testing +5
   
6. Reduce curl calls to GH by eliminating duplicate CVEs test-infra#31076
   approved area/config area/jobs cncf-cla: yes lgtm ok-to-test sig/k8s-infra sig/testing size/XS +9
   

Feedback received but that requires more engagement and participation

• Support similar feeds for all CNCF projects

Related Discussions

• Kubernetes vulnerability dashboard committee-security-response#57
• Create Security Bulletins page kubernetes#89130
• Slack thread: https://kubernetes.slack.com/archives/C8P1DRTJA/p1632909102076400

cc @sftim @tallclair @kubernetes/sig-security-leads @raesene

/committee product-security
/sig security docs release

[coderanger]

Isn't this the problemspace https://osv.dev/ exists for? :)

[PushkarJ]

/assign @PushkarJ

[PushkarJ]

@coderanger https://osv.dev/ seems like a cool project, I did not know about this before :) I tried searching for kubernetes there and found one result. Maybe potential outcome of this exercise is a database (generated JSON doc) that can be consumed by https://osv.dev/ so users can use it to find out if their kubernetes version is impacted by any CVE or not.

[PushkarJ]

/transfer sig-security

[sftim]

generated JSON doc

We can almost certainly also consume that through Hugo and render a summary on https://k8s.io/

[PushkarJ]

@tabbysable @tallclair as SIG Security and SRC members, can you please confirm that you are in favor of this feature by commenting +1 to this issue. The progress on this issue is currently blocked, because of missing written consensus from SIG-Security and SRC as per this comment

[kevincox]

Sure, filed kubernetes/website#36808.

[sftim]

Include metadata about guarantees of freshness in the JSON feed: a) Prow job link b) last updated date

#63 is a feature request on the same topic

[krol3]

Excellent feature! Congrats to the team, we could add more information about the impacted component, for example in the PRs we have more information that we could add in the json, for example:

• Vulnerable versions
• Mitigations
• Fixed versions
• Vulnerable configurations
• Action required
• Vulnerability impact

[mtardy]

The fixes that require adding "fresh" fields at the root of the object like:

• CVE Feed: Add lastUpdatedAt as a metadata field #72
• CVE Feed: Add Prow job link as a metadata field #71

would need to actually output the whole object from the script, thus removing the static part from the website:
https://github.com/kubernetes/website/blob/cafe6d258c91c3814d83c0655c8c6354e3eade1c/layouts/_default/cve-feed.json

We will need some synchronization during the merge.

I created the following PRs that (if correct) should be merged sensibly at the same time, first the ones from k/sig-security then k/website:

• Fix CVE feed: comply with the JSON feed specifications #75
• Fix CVE feed: comply with the JSON feed specifications and add the full JSON feed object in the script output to add last_updated root fields #76
• Update CVE feed layouts for new JSON feed format website#38579

[mtardy]

For the update, we merged:

• Fix CVE feed: comply with the JSON feed specifications and add the full JSON feed object in the script output to add last_updated root fields #76
• Update CVE feed layouts for new JSON feed format website#38579
• CVE feed: add RSS feed format website#39513

So now the CVE feed is JSON feed compliant, RSS compliant and has a top level last_updated field.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[PushkarJ]

Still working on this, until we are GA; currently at beta

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[PushkarJ]

Exciting updates coming soon

/remove-lifecycle stale

[andrewpollock]

Hi @PushkarJ could you provide an update on where things are at here?