Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Keep OSV feed data current and updated #9

Open
pombredanne opened this issue Nov 17, 2024 · 4 comments
Open

Keep OSV feed data current and updated #9

pombredanne opened this issue Nov 17, 2024 · 4 comments

Comments

@pombredanne
Copy link

It would be great to keep this CVE feed current and updated.

I discovered its existence in this discussion:

@andrewpollock (who contributes to OSV) wrote in aboutcode-org/vulnerablecode#1661 (comment)

I did a quick Google search and happened upon https://github.com/kubernetes-sigs/cve-feed-osv (which makes me wonder why we haven't got OSV.dev importing it, but it is the first I knew of it) @oliverchang FYI

But the repo is not in sync with the latest security feed.

For instance, as of today:

Questions:

  • What is the process and which tools do you use to keep this current?
  • How can we help?
@pombredanne
Copy link
Author

@knqyf263 gentle ping, since you were the last to commit, and @chen-keinan since you wrote the code.

I think there is a permission issue in https://github.com/kubernetes-sigs/cve-feed-osv/actions/runs/11403286917/job/31730038462
and that the code in https://github.com/kubernetes-sigs/cve-feed-osv/tree/main/collector is not running anymore because of some auth issue.

Is this code actually parsing the plain text, unstructured JSON feeds, and merging that with an NVD CVE record? It feels a bit brittle.

What if the security team were to create a structured in the first place?

There is a process at https://github.com/kubernetes/committee-security-response/blob/main/cna-handbook.md#populate-cve-details-after-public-disclosure that also creates a CVE JSON, and ensuring that they also provide proper version ranges and packages (or even better PURLs) would be awesome.

@chen-keinan
Copy link
Contributor

chen-keinan commented Nov 18, 2024

@pombredanne thanks for the catching it up, I see that the update job is failing due to workflow bot permission, I'll have a look.

@chen-keinan
Copy link
Contributor

@pombredanne after taking a look I see that github action can't create PRs (new CVE for review) due to org permission

@oliverchang
Copy link

Thanks @chen-keinan !

Should we expect the feed to get updated soon? There doesn't seem to have been any automatic updates since #10

Regarding the feed itself, there's some other small changes required before we can start ingesting this into OSV, which @andrewpollock pointed out in google/osv.dev#281 (comment).

Repeating them here:

  1. Either adding kubernetes as an ecosystem to https://github.com/ossf/osv-schema/blob/main/docs/schema.md#defined-ecosystems, or using an existing ecosystem. Would the existing "Go" ecosystem work to refer to Go modules work here, or would a separate kubernetes ecosystem still be necessary?

  2. Prepending the CVE IDs with a unique prefix ("e.g. "KUBE-CVE-") to distinguish the Kubernetes published CVEs.

Who would be the right point of contact for these changes?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants