From c1512c77ad6d428e6fd7c9df205f9c98310124a4 Mon Sep 17 00:00:00 2001 From: cailynse Date: Thu, 23 Feb 2023 19:58:29 -0500 Subject: [PATCH 1/4] Add Blog Post for KEP-3202-beta release --- .../index.md | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md diff --git a/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md b/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md new file mode 100644 index 0000000000..dbc48fab39 --- /dev/null +++ b/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md @@ -0,0 +1,39 @@ +--- +layout: blog +title: Updates to the Auto-refreshing Official CVE Feed +date: 2023-04-04 +slug: k8s-cve-feed-beta +--- + +**Author**: Cailyn Edwards (Shopify) + +Since launching the [Auto-refreshing Official CVE feed](/docs/reference/issues-security/official-cve-feed/) as an `alpha` +feature in the 1.25 release we have made signficant improvments and updates. We are excited to announce the release of the +`beta` version of the feed. This blog post will outline the changes made, and talk about what is planned for the to expect for +the `stable` release. + +## Updates +| **\#** | **Title** | **Issue** | **Status** | +| ------ | ------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| 1 | Support RSS feeds by generating data in Atom format | [kubernetes/sig-security#77](https://github.com/kubernetes/sig-security/issues/77) | open, addressed by [kubernetes/website#39513](https://github.com/kubernetes/website/pull/39513)| +| 2 | CVE Feed: Sort Markdown Table from most recent to least recently announced CVE | [kubernetes/sig-security#73](https://github.com/kubernetes/sig-security/issues/73) | open, no PR open | +| 3 | CVE Feed: Add Prow job link as a metadata field | [kubernetes/sig-security#71](https://github.com/kubernetes/sig-security/issues/71) | open, no PR open | +| 4 | CVE Feed: Add lastUpdatedAt as a metadata field | [kubernetes/sig-security#72](https://github.com/kubernetes/sig-security/issues/72) | open, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) | +| 5 | CVE Feed: JSON feed should pass jsonfeed spec validator | [kubernetes/webite#36808](https://github.com/kubernetes/website/issues/36808) | open, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) | +| 6 | CVE Feed: Include a timestamp field for each CVE indicating when it was last updated | [kubernetes/sig-security#63](https://github.com/kubernetes/sig-security/issues/63) | open, no PR | +| 7 | CVE Feed: Sort Markdown Table from most recent to least recently announced CVE | [kubernetes/sig-security#73](https://github.com/kubernetes/sig-security/issues/73) | open, no PR | + +## Summary of Changes +TODO - add details of changes + +## What's Next? + +In preparation to graduate this feature, SIG Security +is still gathering feedback from end users who are using the updated beta feed. + +To help us continue to improve the feed in future Kubernetes Releases please share feedback by adding a comment to +this [tracking issue](https://github.com/kubernetes/sig-security/issues/1) or +let us know on +[#sig-security-tooling](https://kubernetes.slack.com/archives/C01CUSVMHPY) +Kubernetes Slack channel. +(Join [Kubernetes Slack here](https://slack.k8s.io)) \ No newline at end of file From d7f8476c292fa84653ef7c9fd569e196ab6866e9 Mon Sep 17 00:00:00 2001 From: Cailyn Date: Tue, 4 Apr 2023 19:45:15 -0400 Subject: [PATCH 2/4] Update content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md Co-authored-by: Nate W. --- .../index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md b/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md index dbc48fab39..8e0dd06b3c 100644 --- a/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md +++ b/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md @@ -8,7 +8,7 @@ slug: k8s-cve-feed-beta **Author**: Cailyn Edwards (Shopify) Since launching the [Auto-refreshing Official CVE feed](/docs/reference/issues-security/official-cve-feed/) as an `alpha` -feature in the 1.25 release we have made signficant improvments and updates. We are excited to announce the release of the +feature in the 1.25 release, we have made significant improvements and updates. We are excited to announce the release of the `beta` version of the feed. This blog post will outline the changes made, and talk about what is planned for the to expect for the `stable` release. From 5843e849046fa57f9f23a2aa0420260afd794a8d Mon Sep 17 00:00:00 2001 From: Cailyn Date: Tue, 4 Apr 2023 19:45:23 -0400 Subject: [PATCH 3/4] Update content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md Co-authored-by: Nate W. --- .../index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md b/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md index 8e0dd06b3c..9cfa0d4b9c 100644 --- a/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md +++ b/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md @@ -28,7 +28,7 @@ TODO - add details of changes ## What's Next? -In preparation to graduate this feature, SIG Security +In preparation for the graduation of this feature, SIG Security is still gathering feedback from end users who are using the updated beta feed. To help us continue to improve the feed in future Kubernetes Releases please share feedback by adding a comment to From 9411b28ffbed23e6b94d69806855301fe0b95a1f Mon Sep 17 00:00:00 2001 From: Cailyn Date: Tue, 4 Apr 2023 19:45:38 -0400 Subject: [PATCH 4/4] Update content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md Co-authored-by: Nate W. --- .../index.md | 39 ----------- .../index.md | 64 +++++++++++++++++++ 2 files changed, 64 insertions(+), 39 deletions(-) delete mode 100644 content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md create mode 100644 content/en/blog/_posts/2023-04-25-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md diff --git a/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md b/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md deleted file mode 100644 index 9cfa0d4b9c..0000000000 --- a/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -layout: blog -title: Updates to the Auto-refreshing Official CVE Feed -date: 2023-04-04 -slug: k8s-cve-feed-beta ---- - -**Author**: Cailyn Edwards (Shopify) - -Since launching the [Auto-refreshing Official CVE feed](/docs/reference/issues-security/official-cve-feed/) as an `alpha` -feature in the 1.25 release, we have made significant improvements and updates. We are excited to announce the release of the -`beta` version of the feed. This blog post will outline the changes made, and talk about what is planned for the to expect for -the `stable` release. - -## Updates -| **\#** | **Title** | **Issue** | **Status** | -| ------ | ------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| 1 | Support RSS feeds by generating data in Atom format | [kubernetes/sig-security#77](https://github.com/kubernetes/sig-security/issues/77) | open, addressed by [kubernetes/website#39513](https://github.com/kubernetes/website/pull/39513)| -| 2 | CVE Feed: Sort Markdown Table from most recent to least recently announced CVE | [kubernetes/sig-security#73](https://github.com/kubernetes/sig-security/issues/73) | open, no PR open | -| 3 | CVE Feed: Add Prow job link as a metadata field | [kubernetes/sig-security#71](https://github.com/kubernetes/sig-security/issues/71) | open, no PR open | -| 4 | CVE Feed: Add lastUpdatedAt as a metadata field | [kubernetes/sig-security#72](https://github.com/kubernetes/sig-security/issues/72) | open, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) | -| 5 | CVE Feed: JSON feed should pass jsonfeed spec validator | [kubernetes/webite#36808](https://github.com/kubernetes/website/issues/36808) | open, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) | -| 6 | CVE Feed: Include a timestamp field for each CVE indicating when it was last updated | [kubernetes/sig-security#63](https://github.com/kubernetes/sig-security/issues/63) | open, no PR | -| 7 | CVE Feed: Sort Markdown Table from most recent to least recently announced CVE | [kubernetes/sig-security#73](https://github.com/kubernetes/sig-security/issues/73) | open, no PR | - -## Summary of Changes -TODO - add details of changes - -## What's Next? - -In preparation for the graduation of this feature, SIG Security -is still gathering feedback from end users who are using the updated beta feed. - -To help us continue to improve the feed in future Kubernetes Releases please share feedback by adding a comment to -this [tracking issue](https://github.com/kubernetes/sig-security/issues/1) or -let us know on -[#sig-security-tooling](https://kubernetes.slack.com/archives/C01CUSVMHPY) -Kubernetes Slack channel. -(Join [Kubernetes Slack here](https://slack.k8s.io)) \ No newline at end of file diff --git a/content/en/blog/_posts/2023-04-25-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md b/content/en/blog/_posts/2023-04-25-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md new file mode 100644 index 0000000000..846369d082 --- /dev/null +++ b/content/en/blog/_posts/2023-04-25-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md @@ -0,0 +1,64 @@ +--- +layout: blog +title: Updates to the Auto-refreshing Official CVE Feed +date: 2023-04-25 +slug: k8s-cve-feed-beta +--- + +**Authors**: Cailyn Edwards (Shopify), Mahé Tardy (Isovalent), Pushkar Joglekar + +Since launching the [Auto-refreshing Official CVE feed](/docs/reference/issues-security/official-cve-feed/) as an alpha +feature in the 1.25 release, we have made significant improvements and updates. We are excited to announce the release of the +beta version of the feed. This blog post will outline the feedback received, the changes made, and talk about how you can help +as we prepare to make this a stable feature in a future Kubernetes Release. + + +## Feedback from end-users + +SIG Security received some feedback from end-users: +- The JSON CVE Feed [did not comply](https://github.com/kubernetes/website/issues/36808) + with the [JSON Feed specification](https://www.jsonfeed.org/) as its name would suggest. +- The feed could also [support RSS](https://github.com/kubernetes/sig-security/issues/77) + in addition to JSON Feed format. +- Some metadata could be [added](https://github.com/kubernetes/sig-security/issues/72) to indicate the freshness of + the feed overall, or [specific CVEs](https://github.com/kubernetes/sig-security/issues/63). Another suggestion was + to [indicate](https://github.com/kubernetes/sig-security/issues/71) which Prow job recently updated the feed. See + more ideas directly on the [the umbrella issue](https://github.com/kubernetes/sig-security/issues/1). +- The feed Markdown table on the website [should be ordered](https://github.com/kubernetes/sig-security/issues/73) + from the most recent to the least recently announced CVE. + +## Summary of changes + +In response, the SIG did a [rework of the script generating the JSON feed](https://github.com/kubernetes/sig-security/pull/76) +to comply with the JSON Feed specification from generation and add a +`last_updated` root field to indicate overall freshness. This redesign needed a +[corresponding fix on the Kubernetes website side](https://github.com/kubernetes/website/pull/38579) +for the CVE feed page to continue to work with the new format. + +After that, [RSS feed support](https://github.com/kubernetes/website/pull/39513) +could be added transparently so that end-users can consume the feed in their +preferred format. + +Overall, the redesign based on the JSON Feed specification, which this time broke +backward compatibility, will allow updates in the future to address the rest of +the issue while being more transparent and less disruptive to end-users. + +### Updates +| **Title** | **Issue** | **Status** | +| ------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| CVE Feed: JSON feed should pass jsonfeed spec validator | [kubernetes/webite#36808](https://github.com/kubernetes/website/issues/36808) | closed, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) | +| CVE Feed: Add lastUpdatedAt as a metadata field | [kubernetes/sig-security#72](https://github.com/kubernetes/sig-security/issues/72) | closed, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) | +| Support RSS feeds by generating data in Atom format | [kubernetes/sig-security#77](https://github.com/kubernetes/sig-security/issues/77) | closed, addressed by [kubernetes/website#39513](https://github.com/kubernetes/website/pull/39513)| +| CVE Feed: Sort Markdown Table from most recent to least recently announced CVE | [kubernetes/sig-security#73](https://github.com/kubernetes/sig-security/issues/73) | closed, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) | +| CVE Feed: Include a timestamp field for each CVE indicating when it was last updated | [kubernetes/sig-security#63](https://github.com/kubernetes/sig-security/issues/63) | closed, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) | +| CVE Feed: Add Prow job link as a metadata field | [kubernetes/sig-security#71](https://github.com/kubernetes/sig-security/issues/71) | closed, addressed by [kubernetes/sig-security#83](https://github.com/kubernetes/sig-security/pull/83) | + +## What's next? + +In preparation to [graduate](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#feature-stages) the feed +to stable i.e. `General Availability` stage, SIG Security is still gathering feedback from end users who are using the updated beta feed. + +To help us continue to improve the feed in future Kubernetes Releases please share feedback by adding a comment to +this [tracking issue](https://github.com/kubernetes/sig-security/issues/1) or +let us know on [#sig-security-tooling](https://kubernetes.slack.com/archives/C01CUSVMHPY) +Kubernetes Slack channel, join [Kubernetes Slack here](https://slack.k8s.io). \ No newline at end of file