Authors: Cailyn Edwards (Shopify), Mahé Tardy (Isovalent), Pushkar Joglekar
Since launching the Auto-refreshing Official CVE feed as an alpha
feature in the 1.25 release, we have made significant improvements and updates. We are excited to announce the release of the
beta version of the feed. This blog post will outline the feedback received, the changes made, and talk about how you can help
as we prepare to make this a stable feature in a future Kubernetes Release.
Feedback from end-users
SIG Security received some feedback from end-users:
The JSON CVE Feed did not comply
with the JSON Feed specification as its name would suggest.
The feed could also support RSS
in addition to JSON Feed format.
Some metadata could be added to indicate the freshness of
the feed overall, or specific CVEs. Another suggestion was
to indicate which Prow job recently updated the feed. See
more ideas directly on the the umbrella issue.
The feed Markdown table on the website should be ordered
from the most recent to the least recently announced CVE.
Summary of changes
In response, the SIG did a rework of the script generating the JSON feed
to comply with the JSON Feed specification from generation and add a
last_updated root field to indicate overall freshness. This redesign needed a
corresponding fix on the Kubernetes website side
for the CVE feed page to continue to work with the new format.
After that, RSS feed support
could be added transparently so that end-users can consume the feed in their
preferred format.
Overall, the redesign based on the JSON Feed specification, which this time broke
backward compatibility, will allow updates in the future to address the rest of
the issue while being more transparent and less disruptive to end-users.
Updates
Title
Issue
Status
CVE Feed: JSON feed should pass jsonfeed spec validator
kubernetes/webite#36808
closed, addressed by kubernetes/sig-security#76
CVE Feed: Add lastUpdatedAt as a metadata field
kubernetes/sig-security#72
closed, addressed by kubernetes/sig-security#76
Support RSS feeds by generating data in Atom format
kubernetes/sig-security#77
closed, addressed by kubernetes/website#39513
CVE Feed: Sort Markdown Table from most recent to least recently announced CVE
kubernetes/sig-security#73
closed, addressed by kubernetes/sig-security#76
CVE Feed: Include a timestamp field for each CVE indicating when it was last updated
kubernetes/sig-security#63
closed, addressed by kubernetes/sig-security#76
CVE Feed: Add Prow job link as a metadata field
kubernetes/sig-security#71
closed, addressed by kubernetes/sig-security#83
What’s next?
In preparation to graduate the feed
to stable i.e. General Availability stage, SIG Security is still gathering feedback from end users who are using the updated beta feed.
To help us continue to improve the feed in future Kubernetes Releases please share feedback by adding a comment to
this tracking issue or
let us know on #sig-security-tooling
Kubernetes Slack channel, join Kubernetes Slack here.