Updates to the Auto-refreshing Official CVE Feed
Authors: Cailyn Edwards (Shopify), Mahé Tardy (Isovalent), Pushkar Joglekar
Since launching the Auto-refreshing Official CVE feed as an alpha feature in the 1.25 release, we have made significant improvements and updates. We are excited to announce the release of the beta version of the feed. This blog post will outline the feedback received, the changes made, and talk about how you can help as we prepare to make this a stable feature in a future Kubernetes Release.
Feedback from end-users
SIG Security received some feedback from end-users:
- The JSON CVE Feed did not comply with the JSON Feed specification as its name would suggest.
- The feed could also support RSS in addition to JSON Feed format.
- Some metadata could be added to indicate the freshness of the feed overall, or specific CVEs. Another suggestion was to indicate which Prow job recently updated the feed. See more ideas directly on the the umbrella issue.
- The feed Markdown table on the website should be ordered from the most recent to the least recently announced CVE.
Summary of changes
In response, the SIG did a rework of the script generating the JSON feed
to comply with the JSON Feed specification from generation and add a
last_updated root field to indicate overall freshness. This redesign needed a
corresponding fix on the Kubernetes website side
for the CVE feed page to continue to work with the new format.
After that, RSS feed support could be added transparently so that end-users can consume the feed in their preferred format.
Overall, the redesign based on the JSON Feed specification, which this time broke backward compatibility, will allow updates in the future to address the rest of the issue while being more transparent and less disruptive to end-users.
Updates
| Title | Issue | Status |
|---|---|---|
| CVE Feed: JSON feed should pass jsonfeed spec validator | kubernetes/webite#36808 | closed, addressed by kubernetes/sig-security#76 |
| CVE Feed: Add lastUpdatedAt as a metadata field | kubernetes/sig-security#72 | closed, addressed by kubernetes/sig-security#76 |
| Support RSS feeds by generating data in Atom format | kubernetes/sig-security#77 | closed, addressed by kubernetes/website#39513 |
| CVE Feed: Sort Markdown Table from most recent to least recently announced CVE | kubernetes/sig-security#73 | closed, addressed by kubernetes/sig-security#76 |
| CVE Feed: Include a timestamp field for each CVE indicating when it was last updated | kubernetes/sig-security#63 | closed, addressed by kubernetes/sig-security#76 |
| CVE Feed: Add Prow job link as a metadata field | kubernetes/sig-security#71 | closed, addressed by kubernetes/sig-security#83 |
What's next?
In preparation to graduate the feed
to stable i.e. General Availability stage, SIG Security is still gathering feedback from end users who are using the updated beta feed.
To help us continue to improve the feed in future Kubernetes Releases please share feedback by adding a comment to this tracking issue or let us know on #sig-security-tooling Kubernetes Slack channel, join Kubernetes Slack here.