Collect Kubernetes advisories

[pombredanne]

There is a mostly unstructured JSON feed and web page at:

• web page at https://kubernetes.io/docs/reference/issues-security/official-cve-feed/
• JSON "index" https://kubernetes.io/docs/reference/issues-security/official-cve-feed/index.json
• assembled here https://github.com/kubernetes/website/tree/main/content/en/docs/reference/issues-security
• ... which mostly points to issues like in CVE-2019-1002100: json-patch requests can exhaust apiserver resources kubernetes/kubernetes#74534 , a CVE and links ...
• to a Google groups: https://groups.google.com/g/kubernetes-announce/c/ufYd_aq4Y20/m/V3LKIffxCAAJ

This is managed by https://github.com/kubernetes/committee-security-response/blob/main/README.md#product-security-committee-psc but is mostly unusable as-is and demands complex parsing or manual handling.

Of interest, advisories like this https://groups.google.com/g/kubernetes-announce/c/ufYd_aq4Y20/m/V3LKIffxCAAJ do not point to a package proper, but to a family of container images built with a specific tool version.

[pombredanne]

The RSS feed is mostly the same as the JSON data https://k8s.io/docs/reference/issues-security/official-cve-feed/feed.xml

@cji since you are helping with k8s security issues handling, would you know if there is a plan to provide a structured feed, rather that the current text feed?

@andrewpollock @di you may know too?

[andrewpollock]

I did a quick Google search and happened upon
https://github.com/kubernetes-sigs/cve-feed-osv (which makes me wonder why we haven't got OSV.dev importing it, but it is the first I knew of it) @oliverchang FYI

[pombredanne]

I did a quick Google search and happened upon
https://github.com/kubernetes-sigs/cve-feed-osv (which makes me wonder why we haven't got OSV.dev importing it, but it is the first I knew of it) @oliverchang FYI

@andrewpollock Thanks! This is awesome. BUT this is also out of date and at least two vulnerabilities behind CVE-2024-9486 and CVE-2024-9594 as of today:

• https://groups.google.com/g/kubernetes-announce/c/ufYd_aq4Y20/m/V3LKIffxCAAJ

[cji]

Hi folks!

@cji since you are helping with k8s security issues handling, would you know if there is a plan to provide a structured feed, rather that the current text feed?

Is the issue with the content or structure of the feed? Or both?

If it's the structure, I'm not aware of any plans for changes to the RSS feed. The CVE feed was developed and is owned by SIG Security (kubernetes/sig-security#1) cc @PushkarJ

If it's the content, the SRC does own what's published in the actual CVE announcement emails, github posts, and MITRE CVE data (e.g. CVE-2024-9594). If there are things that are missing or would be helpful to include from that perspective please let us know!