diff --git a/content/en/blog/_posts/2023-04-25-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md b/content/en/blog/_posts/2023-04-25-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md new file mode 100644 index 0000000000..846369d082 --- /dev/null +++ b/content/en/blog/_posts/2023-04-25-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md @@ -0,0 +1,64 @@ +--- +layout: blog +title: Updates to the Auto-refreshing Official CVE Feed +date: 2023-04-25 +slug: k8s-cve-feed-beta +--- + +**Authors**: Cailyn Edwards (Shopify), Mahé Tardy (Isovalent), Pushkar Joglekar + +Since launching the [Auto-refreshing Official CVE feed](/docs/reference/issues-security/official-cve-feed/) as an alpha +feature in the 1.25 release, we have made significant improvements and updates. We are excited to announce the release of the +beta version of the feed. This blog post will outline the feedback received, the changes made, and talk about how you can help +as we prepare to make this a stable feature in a future Kubernetes Release. + + +## Feedback from end-users + +SIG Security received some feedback from end-users: +- The JSON CVE Feed [did not comply](https://github.com/kubernetes/website/issues/36808) + with the [JSON Feed specification](https://www.jsonfeed.org/) as its name would suggest. +- The feed could also [support RSS](https://github.com/kubernetes/sig-security/issues/77) + in addition to JSON Feed format. +- Some metadata could be [added](https://github.com/kubernetes/sig-security/issues/72) to indicate the freshness of + the feed overall, or [specific CVEs](https://github.com/kubernetes/sig-security/issues/63). Another suggestion was + to [indicate](https://github.com/kubernetes/sig-security/issues/71) which Prow job recently updated the feed. See + more ideas directly on the [the umbrella issue](https://github.com/kubernetes/sig-security/issues/1). +- The feed Markdown table on the website [should be ordered](https://github.com/kubernetes/sig-security/issues/73) + from the most recent to the least recently announced CVE. + +## Summary of changes + +In response, the SIG did a [rework of the script generating the JSON feed](https://github.com/kubernetes/sig-security/pull/76) +to comply with the JSON Feed specification from generation and add a +`last_updated` root field to indicate overall freshness. This redesign needed a +[corresponding fix on the Kubernetes website side](https://github.com/kubernetes/website/pull/38579) +for the CVE feed page to continue to work with the new format. + +After that, [RSS feed support](https://github.com/kubernetes/website/pull/39513) +could be added transparently so that end-users can consume the feed in their +preferred format. + +Overall, the redesign based on the JSON Feed specification, which this time broke +backward compatibility, will allow updates in the future to address the rest of +the issue while being more transparent and less disruptive to end-users. + +### Updates +| **Title** | **Issue** | **Status** | +| ------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| CVE Feed: JSON feed should pass jsonfeed spec validator | [kubernetes/webite#36808](https://github.com/kubernetes/website/issues/36808) | closed, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) | +| CVE Feed: Add lastUpdatedAt as a metadata field | [kubernetes/sig-security#72](https://github.com/kubernetes/sig-security/issues/72) | closed, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) | +| Support RSS feeds by generating data in Atom format | [kubernetes/sig-security#77](https://github.com/kubernetes/sig-security/issues/77) | closed, addressed by [kubernetes/website#39513](https://github.com/kubernetes/website/pull/39513)| +| CVE Feed: Sort Markdown Table from most recent to least recently announced CVE | [kubernetes/sig-security#73](https://github.com/kubernetes/sig-security/issues/73) | closed, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) | +| CVE Feed: Include a timestamp field for each CVE indicating when it was last updated | [kubernetes/sig-security#63](https://github.com/kubernetes/sig-security/issues/63) | closed, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) | +| CVE Feed: Add Prow job link as a metadata field | [kubernetes/sig-security#71](https://github.com/kubernetes/sig-security/issues/71) | closed, addressed by [kubernetes/sig-security#83](https://github.com/kubernetes/sig-security/pull/83) | + +## What's next? + +In preparation to [graduate](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#feature-stages) the feed +to stable i.e. `General Availability` stage, SIG Security is still gathering feedback from end users who are using the updated beta feed. + +To help us continue to improve the feed in future Kubernetes Releases please share feedback by adding a comment to +this [tracking issue](https://github.com/kubernetes/sig-security/issues/1) or +let us know on [#sig-security-tooling](https://kubernetes.slack.com/archives/C01CUSVMHPY) +Kubernetes Slack channel, join [Kubernetes Slack here](https://slack.k8s.io). \ No newline at end of file