Invalid entry in vulnerability feed

[sftim]

This is a Bug Report

Problem:
The RSS vulnerability feed includes an invalid GUID; see this excerpt:

    <item>
     <title>CVE-2023-2727, CVE-2023-2728</title>
     <link>https://github.com/kubernetes/kubernetes/issues/118640</link>
     <pubDate>Tue, 13 Jun 2023 14:42:06 +0000</pubDate>
     <guid>https://www.cve.org/cverecord?id=CVE-2023-2727, CVE-2023-2728</guid>
     <description>Bypassing policies imposed by the ImagePolicyWebhook and bypassing mountable secrets policy imposed by the ServiceAccount admission plugin</description>
   </item>

(the space character is not allowed there)

Proposed Solution:
Find another way to generate <guid> elements for the CVE feed

Page to Update:
https://kubernetes.io/docs/reference/issues-security/official-cve-feed/ (and the feeds it links to)

Additional Information:
/kind bug
/sig security

[k8s-ci-robot]

This issue is currently awaiting triage.

SIG Docs takes a lead on issue triage for this website, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[dipesh-rawat]

💭 Could this possibly be resolved at the source, ensuring that the script generating cveFeedBucket data for the CVE feed contains accurate formatted information?

Currently, it seems the script (code reference here) generating feed data assumes there is only one CVE ID in the GitHub issue title used for data generation.

[robert-cronin]

/assign
I think I might have an idea for an approach to solve this issue based on @dipesh-rawat's comment

[robert-cronin]

I can see two approaches to solving this bug:

1. Modify the Python script to only take the first CVE in the list so that our guid links are not malformed; or
2. If we want to preserve as much information as possible, we could find some way to alter both the script and layouts/_default/cve-feed.rss.xml to show multiple guids if they exist.

I think option 1 makes the most sense, but I am open to suggestions. I'll start with approach 1 first 👍

[PushkarJ]

Thank you for the discussion on this and follow up PR. This fix seems fine to me. However, I am wondering if this would result in everyone getting notified about old CVEs through RSS Subscriptions as this will create new entries and how much potential panic if any this may create.

[PushkarJ]

Fixed the specific instance called out in the issue, by retitling the issue, so we have more time to discuss this. See here: kubernetes/kubernetes#118640 (comment)

[PushkarJ]

Another option to fix this without creating new entries would be to strip the space in the title GUID in the script. So it is consistent everywhere. I am hesitant to breakdown into two new CVEs, when the announcement and issue are done together and more importantly the CVEs are closely related.

[BenTheElder]

However, I am wondering if this would result in everyone getting notified about old CVEs through RSS Subscriptions as this will create new entries and how much potential panic if any this may create.

How many instances are there? If it's not many this seems OK to do once and get a better format.

Are we currently going to generate this at https://www.cve.org/cverecord?id=CVE-2023-2727,CVE-2023-2728 which will be valid as a guid but not valid as a link ...?

[PushkarJ]

@BenTheElder great point about CVE dot org link not working. It's a pity it does not take multiple CVEs.

I just checked how many such instances of multiple CVEs in a single Github Issue we have. The one described in the issue is the only one. So in that case I agree this would be worth fixing it and will not cause too much panic.