Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Collect Kubernetes advisories #1661

Open
pombredanne opened this issue Nov 16, 2024 · 4 comments
Open

Collect Kubernetes advisories #1661

pombredanne opened this issue Nov 16, 2024 · 4 comments

Comments

@pombredanne
Copy link
Member

pombredanne commented Nov 16, 2024

There is a mostly unstructured JSON feed and web page at:

This is managed by https://github.com/kubernetes/committee-security-response/blob/main/README.md#product-security-committee-psc but is mostly unusable as-is and demands complex parsing or manual handling.

Of interest, advisories like this https://groups.google.com/g/kubernetes-announce/c/ufYd_aq4Y20/m/V3LKIffxCAAJ do not point to a package proper, but to a family of container images built with a specific tool version.

@pombredanne
Copy link
Member Author

The RSS feed is mostly the same as the JSON data https://k8s.io/docs/reference/issues-security/official-cve-feed/feed.xml

@cji since you are helping with k8s security issues handling, would you know if there is a plan to provide a structured feed, rather that the current text feed?

@andrewpollock @di you may know too?

@andrewpollock
Copy link

I did a quick Google search and happened upon
https://github.com/kubernetes-sigs/cve-feed-osv (which makes me wonder why we haven't got OSV.dev importing it, but it is the first I knew of it) @oliverchang FYI

@pombredanne
Copy link
Member Author

pombredanne commented Nov 17, 2024

I did a quick Google search and happened upon
https://github.com/kubernetes-sigs/cve-feed-osv (which makes me wonder why we haven't got OSV.dev importing it, but it is the first I knew of it) @oliverchang FYI

@andrewpollock Thanks! This is awesome. BUT this is also out of date and at least two vulnerabilities behind CVE-2024-9486 and CVE-2024-9594 as of today:

@cji
Copy link

cji commented Nov 18, 2024

Hi folks!

@cji since you are helping with k8s security issues handling, would you know if there is a plan to provide a structured feed, rather that the current text feed?

Is the issue with the content or structure of the feed? Or both?

If it's the structure, I'm not aware of any plans for changes to the RSS feed. The CVE feed was developed and is owned by SIG Security (kubernetes/sig-security#1) cc @PushkarJ

If it's the content, the SRC does own what's published in the actual CVE announcement emails, github posts, and MITRE CVE data (e.g. CVE-2024-9594). If there are things that are missing or would be helpful to include from that perspective please let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants