Fetch and Render CVE JSON feed

- Pull JSON blob from queried issues - Use layout output formats + templates to generate HTML table and JSON blob - Add localized strings and caption for CVE feed - Add a new page to describe details about CVE feed and how to use it - Update existing pages and link the official CVE feed from it Co-authored-by: Neha Lohia <[email protected]> Co-authored-by: Tim Bannister <[email protected]>

Author: 3 people

config.toml

@@ -169,6 +169,9 @@ algolia_docsearch = false
 # Enable Lunr.js offline search
 offlineSearch = false
 
+# Official CVE feed bucket URL
+cveFeedBucket = "https://storage.googleapis.com/k8s-cve-feed/official-cve-feed.json"
+
 [params.pushAssets]
 css = [
 "callouts",

content/en/docs/reference/issues-security/issues.md

@@ -8,6 +8,9 @@ To report a security issue, please follow the [Kubernetes security disclosure pr
 
 Work on Kubernetes code and public issues are tracked using [ Issues](https://.com/kubernetes/kubernetes/issues/).
 
-* [CVE-related issues](https://.com/kubernetes/kubernetes/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Aarea%2Fsecurity+in%3Atitle+CVE)
+* Official [list of known CVEs](/docs/reference/issues-security/official-cve-feed/)
+(security vulnerabilities) that have been announced by the
+[Security Response Committee](https://.com/kubernetes/committee-security-response)
+* [CVE-related issues](https://.com/kubernetes/kubernetes/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Aarea%2Fsecurity+in%3Atitle+CVE)
 
-Security-related announcements are sent to the [[email protected]](https://groups.google.com/forum/#!forum/kubernetes-security-announce) mailing list.
+Security-related announcements are sent to the [[email protected]](https://groups.google.com/forum/#!forum/kubernetes-security-announce) mailing list.

content/en/docs/reference/issues-security/official-cve-feed.md

@@ -0,0 +1,44 @@
+---
+title: Official CVE Feed
+weight: 25
+outputs:
+- json
+- html
+layout: cve-feed
+---
+
+{{< feature-state for_k8s_version="v1.25" state="alpha" >}}
+
+This is a community maintained list of official CVEs announced by
+the Kubernetes Security Response Committee. See
+[Kubernetes Security and Disclosure Information](/docs/reference/issues-security/security/)
+for more details.
+
+The Kubernetes project publishes a programmatically accessible
+[JSON Feed](/docs/reference/issues-security/official-cve-feed/index.json) of
+published security issues. You can access it by executing the following command:
+
+{{< comment >}}
+`replace` is used to bypass known issue with rendering ">"
+: https://.com/gohugoio/hugo/issues/7229 in JSON layouts template
+`layouts/_default/cve-feed.json`
+{{< /comment >}}
+
+```shell
+curl -v https://k8s.io/docs/reference/issues-security/official-cve-feed/index.json
+```
+
+{{< cve-feed >}}
+
+<!-- | CVE ID | Issue Summary | CVE Issue URL |
+| ----------- | ----------- | --------- |
+| [CVE-2021-25741](https://www.cve.org/CVERecord?id=CVE-2021-25741) | Symlink Exchange Can Allow Host Filesystem Access | [#104980](https://.com/kubernetes/kubernetes/issues/104980) |
+| [CVE-2020-8565](https://www.cve.org/CVERecord?id=CVE-2020-8565) | Incomplete fix for CVE-2019-11250 allows for token in logs when logLevel >= 9 | [#95623](https://.com/kubernetes/kubernetes/issues/95623) | -->
+
+This feed is auto-refreshing with a noticeable but small lag (minutes to hours)
+from the time a CVE is announced to the time it is accessible in this feed.
+
+The source of truth of this feed is a set of Issues, filtered by a controlled and
+restricted label `official-cve-feed`. The raw data is stored in a Google Cloud
+Bucket which is writable only by a small number of trusted members of the
+Community.

data/i18n/en/en.toml

@@ -27,6 +27,34 @@ other = "Twitter"
 [community_youtube_name]
 other = "YouTube"
 
+
+[cve_id]
+other = "CVE ID"
+
+[cve_issue_url]
+other = "CVE Issue URL"
+
+[cve_json_external_url]
+other = "external_url"
+
+[cve_json_id]
+other = "id"
+
+[cve_json_summary]
+other = "summary"
+
+[cve_json_url]
+other = "url"
+
+[cve_summary]
+other = "Issue Summary"
+
+[cve_table]
+other = "Official Kubernetes CVE List"
+
+[cve_url]
+other = "CVE URL"
+
 [deprecation_title]
 other = "You are viewing documentation for Kubernetes version:"
 

layouts/_default/cve-feed.json

@@ -0,0 +1,23 @@
+{
+"version": "https://jsonfeed.org/version/1.1",
+"title": "Auto-refreshing Official CVE Feed",
+"home_page_url": "https://kubernetes.io",
+"feed_url": "https://kubernetes.io/docs/reference/issues-security/official-cve-feed/index.json",
+"description": "Auto-refreshing official CVE feed for Kubernetes repository",
+"authors": [
+{
+"name": "Kubernetes Community",
+"url": "https://www.kubernetes.dev"
+}
+],
+"items": [
+{{ range $i, $e := getJSON .Site.Params.cveFeedBucket }}
+{{ if $i }}, {{ end }}
+{
+{{ T "cve_json_id" | jsonify }}: {{ .cve_id | jsonify }},
+{{ T "cve_json_url" | jsonify }}: {{ .issue_url | jsonify }},
+{{ T "cve_json_external_url" | jsonify }}: {{ .cve_url | jsonify}},
+{{ T "cve_json_summary" | jsonify }}: {{ replace (.summary | jsonify ) "\\u003e" ">" }}
+}{{ end }}
+]
+}

layouts/shortcodes/cve-feed.html

@@ -0,0 +1,19 @@
+<table class="security-cves">
+<caption>{{ T "cve_table" }}</caption>
+<thead>
+<tr>
+<th>{{ T "cve_id" }}</th>
+<th>{{ T "cve_summary"}}</th>
+<th>{{ T "cve_issue_url" }}</th>
+</tr>
+</thead>
+<tbody>
+{{ range $issues := getJSON .Site.Params.cveFeedBucket }}
+<tr>
+<td><a href="{{ .cve_url }}">{{ .cve_id | htmlEscape | safeHTML }}</a></td>
+<td>{{ .summary | htmlEscape | safeHTML }}</td>
+<td><a href="{{ .issue_url }}">#{{ .number }}</a></td>
+</tr>
+{{ end }}
+</tbody>
+</table>