Remove the must be closed requirement in CVE feed

[enj]

The official-cve-feed label is sufficient in filtering down to valid issues.

@kubernetes/security-response-committee @kubernetes/sig-security-pr-reviews @PushkarJ

For example, currently https://github.com/kubernetes/kubernetes/issues/121879 is open and published to mitre but not included in the CVE feed which seems like the wrong approach. We do not add the official-cve-feed label until we fill out the issue details, so I do not think there is any need to wait until the issue is closed before including it in the feed.

[cji]

/lgtm

[PushkarJ]

This has been a feature request that was made earlier here: https://github.com/kubernetes/sig-security/issues/97

We discussed this in the SIG Security call too today, and there were no concerns raised.

Only note I will make is we need to add a status field as a next step in the CVE feed

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: enj, PushkarJ

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[sig-security-tooling/OWNERS](https://github.com/kubernetes/sig-security/blob/main/sig-security-tooling/OWNERS)~~ [PushkarJ] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment