Open sftim opened 1 month ago
Included this as a feature in beta -> GA work as a graduation criteria.
/triage accepted
Some ideas on how to implement this:
This repo https://github.com/aquasecurity/vuln-list-k8s is being migrated to k-sigs org: https://github.com/kubernetes/org/issues/4873 as a community owned repo. But for the purposes of discussion let's use the repo in its current location.
Step 1: As input to content adapter we get a list of OSV JSON files from Github API: https://api.github.com/repos/aquasecurity/vuln-list-k8s/contents/upstream
Sample output:
{
"name": "CVE-2017-1002102.json",
"path": "upstream/CVE-2017-1002102.json",
"sha": "fb991a6b68caac15879c2eefebf1a72249d3ccfe",
"size": 1466,
"url": "https://api.github.com/repos/aquasecurity/vuln-list-k8s/contents/upstream/CVE-2017-1002102.json?ref=main",
"html_url": "https://github.com/aquasecurity/vuln-list-k8s/blob/main/upstream/CVE-2017-1002102.json",
"git_url": "https://api.github.com/repos/aquasecurity/vuln-list-k8s/git/blobs/fb991a6b68caac15879c2eefebf1a72249d3ccfe",
"download_url": "https://raw.githubusercontent.com/aquasecurity/vuln-list-k8s/main/upstream/CVE-2017-1002102.json",
"type": "file",
"_links": {
"self": "https://api.github.com/repos/aquasecurity/vuln-list-k8s/contents/upstream/CVE-2017-1002102.json?ref=main",
"git": "https://api.github.com/repos/aquasecurity/vuln-list-k8s/git/blobs/fb991a6b68caac15879c2eefebf1a72249d3ccfe",
"html": "https://github.com/aquasecurity/vuln-list-k8s/blob/main/upstream/CVE-2017-1002102.json"
}
}
Step 2: Iterate each file name with absolute path using the key download_url
and create a new dynamic page for each CVE
Step 3: https://kubernetes.io/example/security/CVE-2021-25749.json
points to the OSV format json file
Step 4: https://kubernetes.io/example/security/CVE-2021-25749
points to an auto-generated page that can be customized depending on for example whether a CVE is unfixed or not.
I'm willing to dig into this this issue if no one else is meant to take it @PushkarJ @sftim
Help is welcome @jbiers!
Step 1: As input to content adapter we get a list of OSV JSON files from Github API: https://api.github.com/repos/aquasecurity/vuln-list-k8s/contents/upstream
It's much easier if the machine readable feed is one file, rather than lots. If there are lots of files, we first need a single file with a list of the individual files to pull.
We can add the OSV data in a follow-up PR.
Also, we'd prefer to avoid needing API tokens for GitHub as part of the site build; it adds extra friction for new contributors.
Shorter URLs are an option too; eg https://k8s.io/security/CVE-2021-25749 can redirect to https://kubernetes.io/example/security/CVE-2021-25749
/assign
This is a Feature Request
What would you like to be added Revise https://kubernetes.io/docs/reference/issues-security/official-cve-feed/ to have a page about each vulnerability, rendered using a content adapter.
Ideally, allow contributors to provide dedicated and specialized content for a subset of vulnerabilities, falling back to auto rendering for the remainder.
For example:
Why is this needed We can provide permalinks in our comms around vulnerabilities.
Comments /area web-development /sig security
We would need to be using Hugo v0.126 or later.
Relevant to https://github.com/kubernetes/sig-security/issues/1 Prompted by https://github.com/kubernetes/website/issues/46426#issuecomment-2132074557