Handle multiple CVEs per issue in official CVE feed

kubernetes / sig-security

Process documentation, non-code deliverables, and miscellaneous artifacts of Kubernetes SIG Security

Apache License 2.0

166 stars 55 forks source link

Handle multiple CVEs per issue in official CVE feed #117

Closed robert-cronin closed 3 months ago

robert-cronin commented 3 months ago

Fix multiple CVE handling in official CVE feed

Fixes https://github.com/kubernetes/website/issues/47003

This change modifies the script used to generate the CVE feed to correctly handle issues containing multiple CVEs. Key updates:

Create separate entries for each CVE ID when multiple are present in a single issue
Maintain original structure and behavior for the first CVE entry
Ensure compatibility with existing feed consumers

This approach aims to resolve the malformed GUID issue while preserving the feed's integrity. Feedback and suggestions for improvement are welcome.

Here is the output from before and after the change:

before.txt after.txt

k8s-ci-robot commented 3 months ago

Welcome @robert-cronin!

It looks like this is your first PR to kubernetes/sig-security 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/sig-security has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. :smiley:

PushkarJ commented 3 months ago

/hold

(Discussing more on possible solutions in linked issue)

robert-cronin commented 3 months ago

@PushkarJ I've gone through and updated the script based on the feedback received. Here's the updated output:

after2.txt

Thank you for your suggestions!

PushkarJ commented 3 months ago

@robert-cronin Thank you so much for your efforts in fixing this and addressing the comments and coming up with even better idea about dictionary copy

/lgtm /approve

k8s-ci-robot commented 3 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: PushkarJ, robert-cronin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[sig-security-tooling/cve-feed/OWNERS](https://github.com/kubernetes/sig-security/blob/main/sig-security-tooling/cve-feed/OWNERS)~~ [PushkarJ] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

PushkarJ commented 3 months ago

/hold cancel

robert-cronin commented 3 months ago

@robert-cronin Thank you so much for your efforts in fixing this and addressing the comments and coming up with even better idea about dictionary copy

/lgtm /approve

No problems, happy to help 🙂