CVE feed doesn't include some vulnerabilities for in-project code about website HOT 12 OPEN

This issue is currently awaiting triage.

SIG Docs takes a lead on issue triage for this website, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

from website.

This is about https://kubernetes.io/docs/reference/issues-security/official-cve-feed/ and the feeds it links to.

/sig security

from website.

The CVE feed lists vulnerabilities in Kubernetes' core. I don't think we make that as clear as we could.

from website.

/retitle CVE feed doesn't include some vulnerabilities for in-project code

from website.

@sftim can you clarify here if there is anything actionable on this issue now? or is work dependent on the outcome of the k/k issue you created?

from website.

The people working on the KEP could take steps to ensure the upstream feed includes more data; you can't fix this purely by committing to k/website.

However, there's more than one route forward here.

from website.

Thanks for the tag @sftim

/priority important-long-term

from website.

@PushkarJ: The label(s) priority/important-long-term cannot be applied, because the repository doesn't have them.

from website.

Including CVEs outside of k8s core is not in scope at the moment for GA. If this is useful for the community, I would welcome folks to chat with the group who maintains the CVE feed on #sig-security-tooling (Invite yourself from here: https://slack.k8s.io/) and share their intent to contribute to make this happen.

/priority important-longterm

from website.

In the meantime, we could clarify in the web page about what's in scope.

from website.

@sftim Would it make sense to clarify it as a k/website PR or as part of KEP or both?

from website.

Ideally both

from website.