-
Notifications
You must be signed in to change notification settings - Fork 14.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshi…
…ng-Official-CVE-Feed/index.md Co-authored-by: Nate W. <[email protected]>
- Loading branch information
1 parent
5843e84
commit 8f8bdf3
Showing
1 changed file
with
50 additions
and
25 deletions.
There are no files selected for viewing
75 changes: 50 additions & 25 deletions
75
...log/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,39 +1,64 @@ | ||
| --- | ||
| layout: blog | ||
| layout: blog | ||
| title: Updates to the Auto-refreshing Official CVE Feed | ||
| date: 2023-04-04 | ||
| date: | ||
| slug: k8s-cve-feed-beta | ||
| --- | ||
|
|
||
| **Author**: Cailyn Edwards (Shopify) | ||
| **Authors**: Cailyn Edwards (Shopify), Mahé Tardy (Isovalent), Pushkar Joglekar | ||
|
|
||
| Since launching the [Auto-refreshing Official CVE feed](/docs/reference/issues-security/official-cve-feed/) as an `alpha` | ||
| Since launching the [Auto-refreshing Official CVE feed](/docs/reference/issues-security/official-cve-feed/) as an alpha | ||
| feature in the 1.25 release, we have made significant improvements and updates. We are excited to announce the release of the | ||
| `beta` version of the feed. This blog post will outline the changes made, and talk about what is planned for the to expect for | ||
| the `stable` release. | ||
| beta version of the feed. This blog post will outline the feedback received, the changes made, and talk about how you can help | ||
| as we prepare to make this a stable feature in a future Kubernetes Release. | ||
|
|
||
| ## Updates | ||
| | **\#** | **Title** | **Issue** | **Status** | | ||
| | ------ | ------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| | 1 | Support RSS feeds by generating data in Atom format | [kubernetes/sig-security#77](https://github.com/kubernetes/sig-security/issues/77) | open, addressed by [kubernetes/website#39513](https://github.com/kubernetes/website/pull/39513)| | ||
| | 2 | CVE Feed: Sort Markdown Table from most recent to least recently announced CVE | [kubernetes/sig-security#73](https://github.com/kubernetes/sig-security/issues/73) | open, no PR open | | ||
| | 3 | CVE Feed: Add Prow job link as a metadata field | [kubernetes/sig-security#71](https://github.com/kubernetes/sig-security/issues/71) | open, no PR open | | ||
| | 4 | CVE Feed: Add lastUpdatedAt as a metadata field | [kubernetes/sig-security#72](https://github.com/kubernetes/sig-security/issues/72) | open, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) | | ||
| | 5 | CVE Feed: JSON feed should pass jsonfeed spec validator | [kubernetes/webite#36808](https://github.com/kubernetes/website/issues/36808) | open, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) | | ||
| | 6 | CVE Feed: Include a timestamp field for each CVE indicating when it was last updated | [kubernetes/sig-security#63](https://github.com/kubernetes/sig-security/issues/63) | open, no PR | | ||
| | 7 | CVE Feed: Sort Markdown Table from most recent to least recently announced CVE | [kubernetes/sig-security#73](https://github.com/kubernetes/sig-security/issues/73) | open, no PR | | ||
|
|
||
| ## Summary of Changes | ||
| TODO - add details of changes | ||
| ## Feedback from end-users | ||
|
|
||
| ## What's Next? | ||
| SIG Security received some feedback from end-users: | ||
| - The JSON CVE Feed [did not comply](https://github.com/kubernetes/website/issues/36808) | ||
| with the [JSON Feed specification](https://www.jsonfeed.org/) as its name would suggest. | ||
| - The feed could also [support RSS](https://github.com/kubernetes/sig-security/issues/77) | ||
| in addition to JSON Feed format. | ||
| - Some metadata could be [added](https://github.com/kubernetes/sig-security/issues/72) to indicate the freshness of | ||
| the feed overall, or [specific CVEs](https://github.com/kubernetes/sig-security/issues/63). Another suggestion was | ||
| to [indicate](https://github.com/kubernetes/sig-security/issues/71) which Prow job recently updated the feed. See | ||
| more ideas directly on the [the umbrella issue](https://github.com/kubernetes/sig-security/issues/1). | ||
| - The feed Markdown table on the website [should be ordered](https://github.com/kubernetes/sig-security/issues/73) | ||
| from the most recent to the least recently announced CVE. | ||
|
|
||
| In preparation for the graduation of this feature, SIG Security | ||
| is still gathering feedback from end users who are using the updated beta feed. | ||
| ## Summary of changes | ||
|
|
||
| In response, the SIG did a [rework of the script generating the JSON feed](https://github.com/kubernetes/sig-security/pull/76) | ||
| to comply with the JSON Feed specification from generation and add a | ||
| `last_updated` root field to indicate overall freshness. This redesign needed a | ||
| [corresponding fix on the Kubernetes website side](https://github.com/kubernetes/website/pull/38579) | ||
| for the CVE feed page to continue to work with the new format. | ||
|
|
||
| After that, [RSS feed support](https://github.com/kubernetes/website/pull/39513) | ||
| could be added transparently so that end-users can consume the feed in their | ||
| preferred format. | ||
|
|
||
| Overall, the redesign based on the JSON Feed specification, which this time broke | ||
| backward compatibility, will allow updates in the future to address the rest of | ||
| the issue while being more transparent and less disruptive to end-users. | ||
|
|
||
| ### Updates | ||
| | **Title** | **Issue** | **Status** | | ||
| | ------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| | CVE Feed: JSON feed should pass jsonfeed spec validator | [kubernetes/webite#36808](https://github.com/kubernetes/website/issues/36808) | closed, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) | | ||
| | CVE Feed: Add lastUpdatedAt as a metadata field | [kubernetes/sig-security#72](https://github.com/kubernetes/sig-security/issues/72) | closed, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) | | ||
| | Support RSS feeds by generating data in Atom format | [kubernetes/sig-security#77](https://github.com/kubernetes/sig-security/issues/77) | closed, addressed by [kubernetes/website#39513](https://github.com/kubernetes/website/pull/39513)| | ||
| | CVE Feed: Sort Markdown Table from most recent to least recently announced CVE | [kubernetes/sig-security#73](https://github.com/kubernetes/sig-security/issues/73) | closed, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) | | ||
| | CVE Feed: Include a timestamp field for each CVE indicating when it was last updated | [kubernetes/sig-security#63](https://github.com/kubernetes/sig-security/issues/63) | closed, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) | | ||
| | CVE Feed: Add Prow job link as a metadata field | [kubernetes/sig-security#71](https://github.com/kubernetes/sig-security/issues/71) | closed, addressed by [kubernetes/sig-security#83](https://github.com/kubernetes/sig-security/pull/83) | | ||
|
|
||
| ## What's next? | ||
|
|
||
| In preparation to [graduate](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#feature-stages) the feed | ||
| to stable i.e. `General Availability` stage, SIG Security is still gathering feedback from end users who are using the updated beta feed. | ||
|
|
||
| To help us continue to improve the feed in future Kubernetes Releases please share feedback by adding a comment to | ||
| this [tracking issue](https://github.com/kubernetes/sig-security/issues/1) or | ||
| let us know on | ||
| [#sig-security-tooling](https://kubernetes.slack.com/archives/C01CUSVMHPY) | ||
| Kubernetes Slack channel. | ||
| (Join [Kubernetes Slack here](https://slack.k8s.io)) | ||
| let us know on [#sig-security-tooling](https://kubernetes.slack.com/archives/C01CUSVMHPY) | ||
| Kubernetes Slack channel, join [Kubernetes Slack here](https://slack.k8s.io). |