diff --git a/config.toml b/config.toml index a153bdf11b..470be9773b 100644 --- a/config.toml +++ b/config.toml @@ -169,6 +169,9 @@ algolia_docsearch = false # Enable Lunr.js offline search offlineSearch = false +# Official CVE feed bucket URL +cveFeedBucket = "https://storage.googleapis.com/k8s-cve-feed/official-cve-feed.json" + [params.pushAssets] css = [ "callouts", diff --git a/content/en/docs/reference/issues-security/issues.md b/content/en/docs/reference/issues-security/issues.md index 5e4ebe85c0..3dbec5bdcc 100644 --- a/content/en/docs/reference/issues-security/issues.md +++ b/content/en/docs/reference/issues-security/issues.md @@ -8,6 +8,9 @@ To report a security issue, please follow the [Kubernetes security disclosure pr Work on Kubernetes code and public issues are tracked using [GitHub Issues](https://github.com/kubernetes/kubernetes/issues/). -* [CVE-related issues](https://github.com/kubernetes/kubernetes/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Aarea%2Fsecurity+in%3Atitle+CVE) +* Official [list of known CVEs](/docs/reference/issues-security/official-cve-feed/) + (security vulnerabilities) that have been announced by the + [Security Response Committee](https://github.com/kubernetes/committee-security-response) +* [CVE-related GitHub issues](https://github.com/kubernetes/kubernetes/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Aarea%2Fsecurity+in%3Atitle+CVE) -Security-related announcements are sent to the [kubernetes-security-announce@googlegroups.com](https://groups.google.com/forum/#!forum/kubernetes-security-announce) mailing list. +Security-related announcements are sent to the [kubernetes-security-announce@googlegroups.com](https://groups.google.com/forum/#!forum/kubernetes-security-announce) mailing list. \ No newline at end of file diff --git a/content/en/docs/reference/issues-security/official-cve-feed.md b/content/en/docs/reference/issues-security/official-cve-feed.md new file mode 100644 index 0000000000..6a48924e42 --- /dev/null +++ b/content/en/docs/reference/issues-security/official-cve-feed.md @@ -0,0 +1,44 @@ +--- +title: Official CVE Feed +weight: 25 +outputs: + - json + - html +layout: cve-feed +--- + +{{< feature-state for_k8s_version="v1.25" state="alpha" >}} + +This is a community maintained list of official CVEs announced by +the Kubernetes Security Response Committee. See +[Kubernetes Security and Disclosure Information](/docs/reference/issues-security/security/) +for more details. + +The Kubernetes project publishes a programmatically accessible +[JSON Feed](/docs/reference/issues-security/official-cve-feed/index.json) of +published security issues. You can access it by executing the following command: + +{{< comment >}} +`replace` is used to bypass known issue with rendering ">" +: https://github.com/gohugoio/hugo/issues/7229 in JSON layouts template +`layouts/_default/cve-feed.json` +{{< /comment >}} + +```shell +curl -v https://k8s.io/docs/reference/issues-security/official-cve-feed/index.json +``` + +{{< cve-feed >}} + + + +This feed is auto-refreshing with a noticeable but small lag (minutes to hours) +from the time a CVE is announced to the time it is accessible in this feed. + +The source of truth of this feed is a set of GitHub Issues, filtered by a controlled and +restricted label `official-cve-feed`. The raw data is stored in a Google Cloud +Bucket which is writable only by a small number of trusted members of the +Community. \ No newline at end of file diff --git a/data/i18n/en/en.toml b/data/i18n/en/en.toml index 6c57982f9b..831401536c 100644 --- a/data/i18n/en/en.toml +++ b/data/i18n/en/en.toml @@ -27,6 +27,34 @@ other = "Twitter" [community_youtube_name] other = "YouTube" + +[cve_id] +other = "CVE ID" + +[cve_issue_url] +other = "CVE GitHub Issue URL" + +[cve_json_external_url] +other = "external_url" + +[cve_json_id] +other = "id" + +[cve_json_summary] +other = "summary" + +[cve_json_url] +other = "url" + +[cve_summary] +other = "Issue Summary" + +[cve_table] +other = "Official Kubernetes CVE List" + +[cve_url] +other = "CVE URL" + [deprecation_title] other = "You are viewing documentation for Kubernetes version:" diff --git a/layouts/_default/cve-feed.json b/layouts/_default/cve-feed.json new file mode 100644 index 0000000000..a185fde22f --- /dev/null +++ b/layouts/_default/cve-feed.json @@ -0,0 +1,23 @@ +{ + "version": "https://jsonfeed.org/version/1.1", + "title": "Auto-refreshing Official CVE Feed", + "home_page_url": "https://kubernetes.io", + "feed_url": "https://kubernetes.io/docs/reference/issues-security/official-cve-feed/index.json", + "description": "Auto-refreshing official CVE feed for Kubernetes repository", + "authors": [ + { + "name": "Kubernetes Community", + "url": "https://www.kubernetes.dev" + } + ], + "items": [ + {{ range $i, $e := getJSON .Site.Params.cveFeedBucket }} + {{ if $i }}, {{ end }} + { + {{ T "cve_json_id" | jsonify }}: {{ .cve_id | jsonify }}, + {{ T "cve_json_url" | jsonify }}: {{ .issue_url | jsonify }}, + {{ T "cve_json_external_url" | jsonify }}: {{ .cve_url | jsonify}}, + {{ T "cve_json_summary" | jsonify }}: {{ replace (.summary | jsonify ) "\\u003e" ">" }} + }{{ end }} + ] +} diff --git a/layouts/shortcodes/cve-feed.html b/layouts/shortcodes/cve-feed.html new file mode 100644 index 0000000000..1c04efab7e --- /dev/null +++ b/layouts/shortcodes/cve-feed.html @@ -0,0 +1,19 @@ + + + + + + + + + + + {{ range $issues := getJSON .Site.Params.cveFeedBucket }} + + + + + + {{ end }} + +
{{ T "cve_table" }}
{{ T "cve_id" }}{{ T "cve_summary"}}{{ T "cve_issue_url" }}
{{ .cve_id | htmlEscape | safeHTML }}{{ .summary | htmlEscape | safeHTML }}#{{ .number }}
\ No newline at end of file