CVE feed doesn't include some vulnerabilities for in-project code #45576
Comments
|
This issue is currently awaiting triage. SIG Docs takes a lead on issue triage for this website, but any Kubernetes member can accept issues by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-triage
|
This is about https://kubernetes.io/docs/reference/issues-security/official-cve-feed/ and the feeds it links to. /sig security |
k8s-ci-robot
added
the
sig/security
|
The CVE feed lists vulnerabilities in Kubernetes' core. I don't think we make that as clear as we could. |
|
/retitle CVE feed doesn't include some vulnerabilities for in-project code |
k8s-ci-robot
changed the title
|
@sftim can you clarify here if there is anything actionable on this issue now? or is work dependent on the outcome of the k/k issue you created? |
|
The people working on the KEP could take steps to ensure the upstream feed includes more data; you can't fix this purely by committing to k/website. However, there's more than one route forward here. |
|
Thanks for the tag @sftim /priority important-long-term |
|
@PushkarJ: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Including CVEs outside of k8s core is not in scope at the moment for GA. If this is useful for the community, I would welcome folks to chat with the group who maintains the CVE feed on #sig-security-tooling (Invite yourself from here: https://slack.k8s.io/) and share their intent to contribute to make this happen. /priority important-longterm |
k8s-ci-robot
added
the
priority/important-longterm
|
In the meantime, we could clarify in the web page about what's in scope. |
|
@sftim Would it make sense to clarify it as a k/website PR or as part of KEP or both? |
|
Ideally both |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
We've migrated the ingress-nginx CVE issues to kubernetes/kubernetes, and these CVEs now show up in the feed. https://kubernetes.io/docs/reference/issues-security/official-cve-feed/ I think this can be closed. |
|
OK, sounds good. /close |
|
@sftim: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Hi,
I don't see CVE-2023-5043 or CVE-2023-5044 on the list of CVEs.
The text was updated successfully, but these errors were encountered: