-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Keep OSV feed data current and updated #9
Comments
@knqyf263 gentle ping, since you were the last to commit, and @chen-keinan since you wrote the code. I think there is a permission issue in https://github.com/kubernetes-sigs/cve-feed-osv/actions/runs/11403286917/job/31730038462 Is this code actually parsing the plain text, unstructured JSON feeds, and merging that with an NVD CVE record? It feels a bit brittle. What if the security team were to create a structured in the first place? There is a process at https://github.com/kubernetes/committee-security-response/blob/main/cna-handbook.md#populate-cve-details-after-public-disclosure that also creates a CVE JSON, and ensuring that they also provide proper version ranges and packages (or even better PURLs) would be awesome. |
@pombredanne thanks for the catching it up, I see that the update job is failing due to workflow bot permission, I'll have a look. |
@pombredanne after taking a look I see that github action can't create PRs (new CVE for review) due to org permission |
Thanks @chen-keinan ! Should we expect the feed to get updated soon? There doesn't seem to have been any automatic updates since #10 Regarding the feed itself, there's some other small changes required before we can start ingesting this into OSV, which @andrewpollock pointed out in google/osv.dev#281 (comment). Repeating them here:
Who would be the right point of contact for these changes? |
It would be great to keep this CVE feed current and updated.
I discovered its existence in this discussion:
@andrewpollock (who contributes to OSV) wrote in aboutcode-org/vulnerablecode#1661 (comment)
But the repo is not in sync with the latest security feed.
For instance, as of today:
Questions:
The text was updated successfully, but these errors were encountered: