-
Notifications
You must be signed in to change notification settings - Fork 200
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Collect Kubernetes advisories #1661
Comments
The RSS feed is mostly the same as the JSON data https://k8s.io/docs/reference/issues-security/official-cve-feed/feed.xml @cji since you are helping with k8s security issues handling, would you know if there is a plan to provide a structured feed, rather that the current text feed? @andrewpollock @di you may know too? |
I did a quick Google search and happened upon |
@andrewpollock Thanks! This is awesome. BUT this is also out of date and at least two vulnerabilities behind CVE-2024-9486 and CVE-2024-9594 as of today: |
Hi folks!
Is the issue with the content or structure of the feed? Or both? If it's the structure, I'm not aware of any plans for changes to the RSS feed. The CVE feed was developed and is owned by SIG Security (kubernetes/sig-security#1) cc @PushkarJ If it's the content, the SRC does own what's published in the actual CVE announcement emails, github posts, and MITRE CVE data (e.g. CVE-2024-9594). If there are things that are missing or would be helpful to include from that perspective please let us know! |
There is a mostly unstructured JSON feed and web page at:
This is managed by https://github.com/kubernetes/committee-security-response/blob/main/README.md#product-security-committee-psc but is mostly unusable as-is and demands complex parsing or manual handling.
Of interest, advisories like this https://groups.google.com/g/kubernetes-announce/c/ufYd_aq4Y20/m/V3LKIffxCAAJ do not point to a package proper, but to a family of container images built with a specific tool version.
The text was updated successfully, but these errors were encountered: