Comments (13)
The repository with OSV files is now migrated within k8s-sigs org: https://github.com/kubernetes-sigs/cve-feed-osv
from website.
Included this as a feature in beta -> GA work as a graduation criteria.
/triage accepted
from website.
Some ideas on how to implement this:
This repo https://github.com/aquasecurity/vuln-list-k8s is being migrated to k-sigs org: kubernetes/org#4873 as a community owned repo. But for the purposes of discussion let's use the repo in its current location.
Step 1: As input to content adapter we get a list of OSV JSON files from Github API: https://api.github.com/repos/aquasecurity/vuln-list-k8s/contents/upstream
Sample output:
{
"name": "CVE-2017-1002102.json",
"path": "upstream/CVE-2017-1002102.json",
"sha": "fb991a6b68caac15879c2eefebf1a72249d3ccfe",
"size": 1466,
"url": "https://api.github.com/repos/aquasecurity/vuln-list-k8s/contents/upstream/CVE-2017-1002102.json?ref=main",
"html_url": "https://github.com/aquasecurity/vuln-list-k8s/blob/main/upstream/CVE-2017-1002102.json",
"git_url": "https://api.github.com/repos/aquasecurity/vuln-list-k8s/git/blobs/fb991a6b68caac15879c2eefebf1a72249d3ccfe",
"download_url": "https://raw.githubusercontent.com/aquasecurity/vuln-list-k8s/main/upstream/CVE-2017-1002102.json",
"type": "file",
"_links": {
"self": "https://api.github.com/repos/aquasecurity/vuln-list-k8s/contents/upstream/CVE-2017-1002102.json?ref=main",
"git": "https://api.github.com/repos/aquasecurity/vuln-list-k8s/git/blobs/fb991a6b68caac15879c2eefebf1a72249d3ccfe",
"html": "https://github.com/aquasecurity/vuln-list-k8s/blob/main/upstream/CVE-2017-1002102.json"
}
}
Step 2: Iterate each file name with absolute path using the key download_url
and create a new dynamic page for each CVE
Step 3: https://kubernetes.io/example/security/CVE-2021-25749.json
points to the OSV format json file
Step 4: https://kubernetes.io/example/security/CVE-2021-25749
points to an auto-generated page that can be customized depending on for example whether a CVE is unfixed or not.
from website.
I'm willing to dig into this this issue if no one else is meant to take it @PushkarJ @sftim
from website.
Help is welcome @jbiers!
from website.
Step 1: As input to content adapter we get a list of OSV JSON files from Github API: https://api.github.com/repos/aquasecurity/vuln-list-k8s/contents/upstream
It's much easier if the machine readable feed is one file, rather than lots. If there are lots of files, we first need a single file with a list of the individual files to pull.
We can add the OSV data in a follow-up PR.
from website.
Also, we'd prefer to avoid needing API tokens for GitHub as part of the site build; it adds extra friction for new contributors.
from website.
Shorter URLs are an option too; eg https://k8s.io/security/CVE-2021-25749 can redirect to https://kubernetes.io/example/security/CVE-2021-25749
from website.
/assign
from website.
@sftim I have a question regarding the path where the CVE files should be created. Your suggestion was https://kubernetes.io/example/security/CVE-2019-11254, but as I understand currently the examples directory only contains example manifests in the form of yaml files.
My question is if it makes semantic sense to have the CVEs in this path and not somewhere like https://kubernetes.io/docs/reference/issues-security/cves/cve-2017-1002101/ or similar. If done this way, we could simply use the layouts currently used in other documentation pages, while in the /examples/ path a new one would have to be created.
Let me know if I did not make myself clear enough here 😄
from website.
Oh, the string example
was just an example! You should pick an actual URL path that makes sense to SIG Security.
The directory you use does not not need to exist in the Git source code.
from website.
If you find you want a new layout, SIG Docs can help out with that.
from website.
@jbiers did you decide on what path you'd like the pages to have? You could pick some actual CVE IDs and document the URL that you'd like them to have, to illustrate the pattern you have in mind.
from website.
Related Issues (20)
- [ja] Translate docs/concepts/security/security-checklist.md into Japanese HOT 1
- [ja] Translate docs/concepts/security/api-server-bypass-risks.md into Japanese HOT 1
- [ja] Translate docs/concepts/policy/pid-limiting.md into Japanese HOT 4
- Trouble following "Updating Configuration via a ConfigMap" HOT 5
- improve layout of Kubernetes online documentation to make better use of the screen space HOT 4
- Use vector images for CPU Manager blog article HOT 2
- Kubelet Configuration (v1beta1) HOT 4
- typo in content/en/docs/concepts/services-networking /cluster-ip-allocation.md HOT 4
- Issue with k8s.io/releases/ HOT 5
- Issue with k8s.io/uk/docs/tutorials/kubernetes-basics/ HOT 7
- Task page for installing kubectl should explain how to find direct download link HOT 7
- Field Selectors HOT 3
- Setup Netlify CI (preview) for dev-1.31-bn.1 HOT 1
- Kubernetes API reference 1.31 stale HOT 3
- Stale advice about Kubernetes versions and KMS HOT 2
- Add a tutorial for selectors HOT 3
- Broken link to CNCF white paper in "Cloud Native Security" page HOT 4
- Improvement for k8s.io/docs/setup/production-environment/container-runtimes/ HOT 3
- Set up a High Availability etcd Cluster with kubeadm HOT 7
- Kubelet Configuration (v1) missing resource types HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from website.