website
website copied to clipboard
kubernetes
CVE feed doesn't include some vulnerabilities for in-project code
This issue is currently awaiting triage.
SIG Docs takes a lead on issue triage for this website, but any Kubernetes member can accept issues by applying the triage/accepted label.
The triage/accepted label can be added by org members by writing /triage accepted in a comment.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
This is about https://kubernetes.io/docs/reference/issues-security/official-cve-feed/ and the feeds it links to.
/sig security
The CVE feed lists vulnerabilities in Kubernetes' core. I don't think we make that as clear as we could.
@sftim can you clarify here if there is anything actionable on this issue now? or is work dependent on the outcome of the k/k issue you created?
The people working on the KEP could take steps to ensure the upstream feed includes more data; you can't fix this purely by committing to k/website.
However, there's more than one route forward here.
@PushkarJ: The label(s) priority/important-long-term cannot be applied, because the repository doesn't have them.
In response to this:
Thanks for the tag @sftim
/priority important-long-term
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Including CVEs outside of k8s core is not in scope at the moment for GA. If this is useful for the community, I would welcome folks to chat with the group who maintains the CVE feed on #sig-security-tooling (Invite yourself from here: https://slack.k8s.io/) and share their intent to contribute to make this happen.
/priority important-longterm
@sftim Would it make sense to clarify it as a k/website PR or as part of KEP or both?
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle rotten - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
We've migrated the ingress-nginx CVE issues to kubernetes/kubernetes, and these CVEs now show up in the feed. https://kubernetes.io/docs/reference/issues-security/official-cve-feed/ I think this can be closed.
@sftim: Closing this issue.
In response to this:
OK, sounds good.
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.