|
| 1 | +# Official CVE Feed |
| 2 | + |
| 3 | +The official CVE feed is separated into two main components: |
| 4 | +1. the scripts, updating a cloud bucket containing the feed; |
| 5 | +2. the website rendering and serving the feed to various formats. |
| 6 | + |
| 7 | +## Scripts |
| 8 | + |
| 9 | +A script in the [kubernetes/sig-security](https://github.com/kubernetes/sig-security) |
| 10 | +repository under the [sig-security-tooling/cve-feed/hack](https://github.com/kubernetes/sig-security/tree/main/sig-security-tooling/cve-feed/hack) |
| 11 | +folder. This script is |
| 12 | +a bash script named `fetch-cve-feed.sh` that: |
| 13 | +- setups the python3 environment; |
| 14 | +- generates the CVE feed file with `fetch-official-cve-feed.py`; |
| 15 | +- compares the sha256 of the newly generated file with the existing one; |
| 16 | +- if the sha256 changed, uploads the newly generated CVE feed file to the bucket. |
| 17 | + |
| 18 | +The `fetch-official-cve-feed.py` file executed by the `fetch-cve-feed.sh` is a |
| 19 | +python3 script that: |
| 20 | +- queries the GitHub API to fetch all the issues with the `official-cve-feed` |
| 21 | + label in the [kubernetes/kubernetes](https://github.com/kubernetes/kubernetes/issues?q=is%3Aissue%20label%3Aofficial-cve-feed%20) |
| 22 | + repository; |
| 23 | +- formats the result with the appropriate JSON schema to be JSON feed |
| 24 | + compliant; |
| 25 | +- prints the output to stdout. |
| 26 | + |
| 27 | +These scripts are run regularly as a CronJob on the k8s infrastructure. |
| 28 | + |
| 29 | +In short, these scripts take the GitHub [kubernetes/kubernetes issues |
| 30 | +labeled with `official-cve-feed`](https://github.com/kubernetes/kubernetes/issues?q=is%3Aissue%20label%3Aofficial-cve-feed%20) |
| 31 | +as the input and generate a JSON feed file as an output in a cloud bucket. The |
| 32 | +output can be publicly fetched at [gs://k8s-cve-feed/](https://console.cloud.google.com/storage/browser/k8s-cve-feed) or [storage.googleapis.com/k8s-cve-feed](https://storage.googleapis.com/k8s-cve-feed/). |
| 33 | + |
| 34 | +## Website |
| 35 | + |
| 36 | +The main output of the official CVE feed is the HTML website page available on |
| 37 | +[k8s.io/docs/reference/issues-security/official-cve-feed](https://kubernetes.io/docs/reference/issues-security/official-cve-feed/) |
| 38 | +where you can also find links to the JSON and RSS feed formats. |
| 39 | + |
| 40 | +The corresponding HTML page is generated from the [official-cve-feed.md](https://github.com/kubernetes/website/blob/main/content/en/docs/reference/issues-security/official-cve-feed.md?plain=1) |
| 41 | +file from the [kubernetes/website](https://github.com/kubernetes/website) |
| 42 | +repository. It mainly calls the `cve-feed` shortcode that is defined in |
| 43 | +[website/layouts/shortcodes/cve-feed.html](https://github.com/kubernetes/website/blob/main/layouts/shortcodes/cve-feed.html) |
| 44 | +which consumes the JSON format by fetching the URL from the |
| 45 | +[`.Site.Params.cveFeedBucket`](https://github.com/kubernetes/website/blob/75f19fc9675d07fdbc724d02953d905ef7ca8619/hugo.toml#L168) |
| 46 | +and translating it to an HTML table. |
| 47 | + |
| 48 | +This page is thus updated every time the website is built. |
0 commit comments