add introduction section to the official CVE feed README #168
Conversation
k8s-ci-robot
added
kind/documentation
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @mahmoud-sabra. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
size/M
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
This looks great to me, thank you so much! |
k8s-ci-robot
added
the
lgtm
mtardy
left a comment
mtardy
left a comment
There was a problem hiding this comment.
Thanks for doing this, thinks it looks good overall as well but here are a few comments
| The official CVE feed is separated into two main components: | ||
| ## Introduction | ||
|
|
||
| The **Kubernetes Official CVE Feed** provides an authoritative and machine-readable source of information about security vulnerabilities (CVEs) affecting Kubernetes. |
There was a problem hiding this comment.
could you wrap all the lines to ~80 chars? (gq in vim)
| - [CVE-2023-3676](https://www.cve.org/CVERecord?id=CVE-2023-3676) — Kubernetes apiserver privilege escalation | ||
| - [CVE-2021-25741](https://www.cve.org/CVERecord?id=CVE-2021-25741) — Symlink vulnerability in volume mounts | ||
|
|
||
| --- |
There was a problem hiding this comment.
Can you remove all the --- in your patch?
| --- |
| - A **JSON feed** listing all issues labeled as [`official-cve-feed`](https://github.com/kubernetes/kubernetes/issues?q=is%3Aissue+label%3Aofficial-cve-feed+) in the [kubernetes/kubernetes](https://github.com/kubernetes/kubernetes) repository. | ||
| - An **HTML and RSS view** available at [k8s.io/docs/reference/issues-security/official-cve-feed](https://kubernetes.io/docs/reference/issues-security/official-cve-feed/). |
There was a problem hiding this comment.
Just a remark: could you change the formulation here? All the feeds are indeed the output and are distributed through the website. If you want a list I'd just put three item something like:
- HTML: the page blablabla with the link to the page
- JSON: the original feed format blabla with the link to the JSON
- RSS: another view balbla with the link to the RSS
The way you put it here sounds a bit like mostly the JSON feed list the issues labeled as official-cve-feed. I think you can just put the details in the parts that explains how it works maybe?
|
|
||
| Each entry in the feed corresponds to an official CVE affecting Kubernetes, such as: | ||
| - [CVE-2023-5528](https://www.cve.org/CVERecord?id=CVE-2023-5528) — Kubernetes ingress-nginx controller vulnerability | ||
| - [CVE-2023-3676](https://www.cve.org/CVERecord?id=CVE-2023-3676) — Kubernetes apiserver privilege escalation | ||
| - [CVE-2021-25741](https://www.cve.org/CVERecord?id=CVE-2021-25741) — Symlink vulnerability in volume mounts |
There was a problem hiding this comment.
not sure you need to bother with examples
| ## Introduction | ||
|
|
||
| The **Kubernetes Official CVE Feed** provides an authoritative and machine-readable source of information about security vulnerabilities (CVEs) affecting Kubernetes. | ||
| It helps developers, operators, and security professionals stay informed about officially recognized and triaged vulnerabilities in the Kubernetes ecosystem. |
There was a problem hiding this comment.
I'll put that with the other paragraph before, maybe not a newline?
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: mahmoud-sabra The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
mahmoud-sabra
force-pushed
the
add-cve-feed-introduction
branch
from
413f8e1 to
d824f11
Compare
k8s-ci-robot
added
size/L
|
/lgtm |
k8s-ci-robot
added
the
lgtm
| - **JSON** — the original, machine-readable feed listing all issues | ||
| labeled as | ||
| [`official-cve-feed`](https://github.com/kubernetes/kubernetes/issues?q=is%3Aissue+label%3Aofficial-cve-feed+) | ||
| in the | ||
| [kubernetes/kubernetes](https://github.com/kubernetes/kubernetes) | ||
| repository | ||
| - **RSS** — a syndication-friendly view for integration into monitoring | ||
| or alerting tools | ||
|
|
||
| Each entry in these feeds corresponds to an official CVE affecting | ||
| Kubernetes. |
There was a problem hiding this comment.
| - **JSON** — the original, machine-readable feed listing all issues | |
| labeled as | |
| [`official-cve-feed`](https://github.com/kubernetes/kubernetes/issues?q=is%3Aissue+label%3Aofficial-cve-feed+) | |
| in the | |
| [kubernetes/kubernetes](https://github.com/kubernetes/kubernetes) | |
| repository | |
| - **RSS** — a syndication-friendly view for integration into monitoring | |
| or alerting tools | |
| Each entry in these feeds corresponds to an official CVE affecting | |
| Kubernetes. | |
| - **JSON** — the original machine-readable feed available at | |
| [k8s.io/docs/reference/issues-security/official-cve-feed/index.json](https://kubernetes.io/docs/reference/issues-security/official-cve-feed/index.json). | |
| - **RSS** — a syndication-friendly view for integration into monitoring | |
| or alerting tools available at | |
| [k8s.io/docs/reference/issues-security/official-cve-feed/feed.xml](https://kubernetes.io/docs/reference/issues-security/official-cve-feed/feed.xml). | |
| Each entry in these feeds corresponds to an official CVE affecting | |
| Kubernetes retrieved from an issue labeled as | |
| [`official-cve-feed`](https://github.com/kubernetes/kubernetes/issues?q=is%3Aissue+label%3Aofficial-cve-feed+) | |
| in the [kubernetes/kubernetes](https://github.com/kubernetes/kubernetes) | |
| repository. |
There was a problem hiding this comment.
thank you Mahe, your format is better than me, i will use it
|
|
||
|
|
There was a problem hiding this comment.
nit: remove double whiteline
| A script in the | ||
| [kubernetes/sig-security](https://github.com/kubernetes/sig-security) |
There was a problem hiding this comment.
it's okay to go over 80 chars when you have links if you want btw, not a stricti rule, the wrapping is just to ease reviewing and git history change by line
| A script in the | |
| [kubernetes/sig-security](https://github.com/kubernetes/sig-security) | |
| A script in the [kubernetes/sig-security](https://github.com/kubernetes/sig-security) |
| - if the sha256 changed, uploads the newly generated CVE feed file to the bucket. | ||
| - if the sha256 changed, uploads the newly generated CVE feed file to | ||
| the bucket. | ||
|
|
||
| The `fetch-official-cve-feed.py` file executed by the `fetch-cve-feed.sh` is a | ||
| python3 script that: | ||
| - queries the GitHub API to fetch all the issues with the `official-cve-feed` | ||
| label in the [kubernetes/kubernetes](https://github.com/kubernetes/kubernetes/issues?q=is%3Aissue%20label%3Aofficial-cve-feed%20) | ||
| The `fetch-official-cve-feed.py` file executed by | ||
| `fetch-cve-feed.sh` is a Python 3 script that: | ||
| - queries the GitHub API to fetch all issues with the `official-cve-feed` | ||
| label in the | ||
| [kubernetes/kubernetes](https://github.com/kubernetes/kubernetes/issues?q=is%3Aissue%20label%3Aofficial-cve-feed%20) | ||
| repository; | ||
| - formats the result with the appropriate JSON schema to be JSON feed | ||
| compliant; | ||
| - formats the result according to the JSON Feed schema; | ||
| - prints the output to stdout. | ||
|
|
||
| These scripts are run regularly as a CronJob on the k8s infrastructure. | ||
| These scripts are run regularly as a CronJob on the Kubernetes | ||
| infrastructure. |
There was a problem hiding this comment.
pplease do not touch unchanged lines (these lines + everything that you wrapped until reference I think) (so that we don't mess up git history)
There was a problem hiding this comment.
ok, i did it by mistake, i will keep them untouched next commit
There was a problem hiding this comment.
just a quick question @mtardy could i close this pr and open a clean one instead?
if not, should i revert these lines back to the original or just keep them untouched the next commit?, i prefer to close this PR and just open a clean one
There was a problem hiding this comment.
No harm in closing this PR and opening a clean one with all the fixes, if that's what you prefer.
There was a problem hiding this comment.
Indeed that's okay if that's the easiest for you.
But otherwise, learning how to rebase a patch set is a nice skill to have: https://docs.github.com/en/get-started/using-git/about-git-rebase. Then you can juste git push <forkref> HEAD --force-with-lease and everything should look good. That's how I work personally because on all my main repos we just allow to merge and rebase.
Or you can repush the revert of that part of the commit by git revert <commitsha> and then git reset HEAD~ and then git add . --patch and add only what you want to revert. We can then squash everything together at merge time.
|
|
||
|
|
There was a problem hiding this comment.
nit: double whitelines
|
@mahmoud-sabra this is looking pretty good, let's try to get it merged! |
5 participants
What type of PR is this?
/kind documentation
What this PR does / why we need it:
This PR adds an introduction section to the
README.mdof the official Kubernetes CVE feed documentation.The new section provides a structured overview explaining what the CVE feed is, who uses it, and what outputs it provides.
This helps contributors and users understand the purpose, audience, and structure of the CVE feed before diving into technical details.
Which issue(s) this PR is related to:
Fixes #141
Special notes for your reviewer: