Invalid entry in vulnerability feed about website HOT 9 CLOSED

This issue is currently awaiting triage.

SIG Docs takes a lead on issue triage for this website, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

from website.

💭 Could this possibly be resolved at the source, ensuring that the script generating cveFeedBucket data for the CVE feed contains accurate formatted information?

Currently, it seems the script (code reference here) generating feed data assumes there is only one CVE ID in the GitHub issue title used for data generation.

from website.

/assign
I think I might have an idea for an approach to solve this issue based on @dipesh-rawat's comment

from website.

I can see two approaches to solving this bug:

1. Modify the Python script to only take the first CVE in the list so that our guid links are not malformed; or
2. If we want to preserve as much information as possible, we could find some way to alter both the script and layouts/_default/cve-feed.rss.xml to show multiple guids if they exist.

I think option 1 makes the most sense, but I am open to suggestions. I'll start with approach 1 first 👍

from website.

Thank you for the discussion on this and follow up PR. This fix seems fine to me. However, I am wondering if this would result in everyone getting notified about old CVEs through RSS Subscriptions as this will create new entries and how much potential panic if any this may create.

from website.

Fixed the specific instance called out in the issue, by retitling the issue, so we have more time to discuss this. See here: kubernetes/kubernetes#118640 (comment)

from website.

Another option to fix this without creating new entries would be to strip the space in the title GUID in the script. So it is consistent everywhere. I am hesitant to breakdown into two new CVEs, when the announcement and issue are done together and more importantly the CVEs are closely related.

from website.

However, I am wondering if this would result in everyone getting notified about old CVEs through RSS Subscriptions as this will create new entries and how much potential panic if any this may create.

How many instances are there? If it's not many this seems OK to do once and get a better format.

Are we currently going to generate this at https://www.cve.org/cverecord?id=CVE-2023-2727,CVE-2023-2728 which will be valid as a guid but not valid as a link ...?

from website.

@BenTheElder great point about CVE dot org link not working. It's a pity it does not take multiple CVEs.

I just checked how many such instances of multiple CVEs in a single Github Issue we have. The one described in the issue is the only one. So in that case I agree this would be worth fixing it and will not cause too much panic.

from website.