Render a page for each known K8s vulnerability using a content adapter about website HOT 12 OPEN

The repository with OSV files is now migrated within k8s-sigs org: https://github.com/kubernetes-sigs/cve-feed-osv

from website.

Included this as a feature in beta -> GA work as a graduation criteria.

/triage accepted

from website.

Some ideas on how to implement this:

This repo https://github.com/aquasecurity/vuln-list-k8s is being migrated to k-sigs org: kubernetes/org#4873 as a community owned repo. But for the purposes of discussion let's use the repo in its current location.

Step 1: As input to content adapter we get a list of OSV JSON files from Github API: https://api.github.com/repos/aquasecurity/vuln-list-k8s/contents/upstream

Sample output:

  {
    "name": "CVE-2017-1002102.json",
    "path": "upstream/CVE-2017-1002102.json",
    "sha": "fb991a6b68caac15879c2eefebf1a72249d3ccfe",
    "size": 1466,
    "url": "https://api.github.com/repos/aquasecurity/vuln-list-k8s/contents/upstream/CVE-2017-1002102.json?ref=main",
    "html_url": "https://github.com/aquasecurity/vuln-list-k8s/blob/main/upstream/CVE-2017-1002102.json",
    "git_url": "https://api.github.com/repos/aquasecurity/vuln-list-k8s/git/blobs/fb991a6b68caac15879c2eefebf1a72249d3ccfe",
    "download_url": "https://raw.githubusercontent.com/aquasecurity/vuln-list-k8s/main/upstream/CVE-2017-1002102.json",
    "type": "file",
    "_links": {
      "self": "https://api.github.com/repos/aquasecurity/vuln-list-k8s/contents/upstream/CVE-2017-1002102.json?ref=main",
      "git": "https://api.github.com/repos/aquasecurity/vuln-list-k8s/git/blobs/fb991a6b68caac15879c2eefebf1a72249d3ccfe",
      "html": "https://github.com/aquasecurity/vuln-list-k8s/blob/main/upstream/CVE-2017-1002102.json"
    }
  }

Step 2: Iterate each file name with absolute path using the key download_url and create a new dynamic page for each CVE
Step 3: https://kubernetes.io/example/security/CVE-2021-25749.json points to the OSV format json file
Step 4: https://kubernetes.io/example/security/CVE-2021-25749 points to an auto-generated page that can be customized depending on for example whether a CVE is unfixed or not.

from website.

I'm willing to dig into this this issue if no one else is meant to take it @PushkarJ @sftim

from website.

Help is welcome @jbiers!

from website.

Step 1: As input to content adapter we get a list of OSV JSON files from Github API: https://api.github.com/repos/aquasecurity/vuln-list-k8s/contents/upstream

It's much easier if the machine readable feed is one file, rather than lots. If there are lots of files, we first need a single file with a list of the individual files to pull.

We can add the OSV data in a follow-up PR.

from website.

Also, we'd prefer to avoid needing API tokens for GitHub as part of the site build; it adds extra friction for new contributors.

from website.

https://kubernetes.io/example/security/CVE-2021-25749

Shorter URLs are an option too; eg https://k8s.io/security/CVE-2021-25749 can redirect to https://kubernetes.io/example/security/CVE-2021-25749

from website.

/assign

from website.

@sftim I have a question regarding the path where the CVE files should be created. Your suggestion was https://kubernetes.io/example/security/CVE-2019-11254, but as I understand currently the examples directory only contains example manifests in the form of yaml files.

My question is if it makes semantic sense to have the CVEs in this path and not somewhere like https://kubernetes.io/docs/reference/issues-security/cves/cve-2017-1002101/ or similar. If done this way, we could simply use the layouts currently used in other documentation pages, while in the /examples/ path a new one would have to be created.

Let me know if I did not make myself clear enough here 😄

from website.

Oh, the string example was just an example! You should pick an actual URL path that makes sense to SIG Security.

The directory you use does not not need to exist in the Git source code.

from website.

If you find you want a new layout, SIG Docs can help out with that.

from website.