Use Data templates to pull CVE feed

PushkarJ · PushkarJ · commit c8d8ba1aabd3 · 2022-07-21T12:21:04.000-07:00
- Pull JSON blob from queried issues
- Use shortcode to generate HTML table
- Make JSON blob accessible as static file

- Added static file generator for cve feed
- Update makefile to use the static file generator

Co-authored-by: Neha Lohia &lt;nehapithadiya444@gmail.com&gt;

- Update Netlify command
diff --git a/.gitignore b/.gitignore
@@ -38,3 +38,8 @@ node_modules/
 # Generated files when building with make container-build
 .config/
 .npm/
+
+#Generated CVE feed -- In case of issues fetching content
+# from bucket please uncomment below line and generate
+# official cve feed json blob with scripts/security/gen-cve-feed.sh
+static/security/
diff --git a/Makefile b/Makefile
@@ -19,6 +19,9 @@ CCEND=\033[0m
 help: ## Show this help.
 	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
 
+gen-cve-feed: ## Generates content from GCS bucket with official cve data.
+	scripts/security/gen-cve-feed.sh
+
 module-check: ## Check if all of the required submodules are correctly initialized.
 	@git submodule status --recursive | awk '/^[+-]/ {err = 1; printf "\033[31mWARNING\033[0m Submodule not initialized: \033[34m%s\033[0m\n",$$2} END { if (err != 0) print "You need to run \033[32mmake module-init\033[0m to initialize missing modules first"; exit err }' 1>&2
 
@@ -28,10 +31,10 @@ module-init: ## Initialize required submodules.
 
 all: build ## Build site with production settings and put deliverables in ./public
 
-build: module-check ## Build site with non-production settings and put deliverables in ./public
+build: module-check gen-cve-feed## Build site with non-production settings and put deliverables in ./public
 	hugo --minify --environment development
 
-build-preview: module-check ## Build site with drafts and future posts enabled
+build-preview: module-check gen-cve-feed ## Build site with drafts and future posts enabled
 	hugo --buildDrafts --buildFuture --environment preview
 
 deploy-preview: ## Deploy preview site via netlify
@@ -43,11 +46,11 @@ functions-build:
 check-headers-file:
 	scripts/check-headers-file.sh
 
-production-build: module-check ## Build the production site and ensure that noindex headers aren't added
+production-build: module-check gen-cve-feed ## Build the production site and ensure that noindex headers aren't added
 	hugo --minify --environment production
 	HUGO_ENV=production $(MAKE) check-headers-file
 
-non-production-build: module-check ## Build the non-production site, which adds noindex headers to prevent indexing
+non-production-build: module-check gen-cve-feed ## Build the non-production site, which adds noindex headers to prevent indexing
 	hugo --enableGitInfo --environment nonprod
 
 serve: module-check ## Boot the development server.
@@ -65,6 +68,9 @@ docker-serve:
 	@echo -e "$(CCRED)**** The use of docker-serve is deprecated. Use container-serve instead. ****$(CCEND)"
 	$(MAKE) container-serve
 
+container-gen-cve-feed: ## Generates official cve feed from external sources within a container (equiv to gen-cve-feed).
+	$(CONTAINER_RUN) $(CONTAINER_IMAGE) scripts/security/gen-cve-feed.sh
+
 container-image: ## Build a container image for the preview of the website
 	$(CONTAINER_ENGINE) build . \
 		--network=host \
diff --git a/content/en/docs/reference/issues-security/issues.md b/content/en/docs/reference/issues-security/issues.md
@@ -11,3 +11,12 @@ Work on Kubernetes code and public issues are tracked using [GitHub Issues](http
 * [CVE-related issues](https://github.com/kubernetes/kubernetes/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Aarea%2Fsecurity+in%3Atitle+CVE)
 
 Security-related announcements are sent to the [kubernetes-security-announce@googlegroups.com](https://groups.google.com/forum/#!forum/kubernetes-security-announce) mailing list.
+
+{{< issues-security >}}
+
+<!-- | CVE ID      | Summary | Issue details |
+| ----------- | ----------- | --------- |
+| [CVE-2021-25741](https://www.cve.org/CVERecord?id=CVE-2021-25741)      | Symlink Exchange Can Allow Host Filesystem Access | [#104980](https://github.com/kubernetes/kubernetes/issues/104980) |
+| [CVE-2020-8565](https://www.cve.org/CVERecord?id=CVE-2020-8565)      | Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9 | [#95623](https://github.com/kubernetes/kubernetes/issues/95623) | -->
+
+Security-related announcements are sent to the [kubernetes-security-announce@googlegroups.com](https://groups.google.com/forum/#!forum/kubernetes-security-announce) mailing list.
diff --git a/layouts/shortcodes/issues-security.html b/layouts/shortcodes/issues-security.html
@@ -0,0 +1,18 @@
+<table>
+  <thead>
+  <tr>
+    <th>CVE ID</th>
+    <th>Summary</th>
+    <th>Issue Details</th>
+  </tr>
+  </thead>
+  <tbody>
+  {{ range $issues := getJSON "static/security/official-cve-feed.json" }}
+  <tr>
+    <td><a href="{{ .cve_url }}">{{ .cve_id }}</a></td>
+    <td>{{ .summary }}</td>
+    <td><a href="{{ .issue_url }}">#{{ .number }}</a></td>
+  </tr>
+  {{ end }}
+  </tbody>
+</table>
diff --git a/netlify.toml b/netlify.toml
@@ -4,7 +4,7 @@
 # DO NOT REMOVE THIS (contact @kubernetes/sig-docs-leads)
 publish = "public"
 functions = "functions"
-command = "git submodule update --init --recursive --depth 1 && make non-production-build"
+command = "git submodule update --init --recursive --depth 1 && scripts/security/gen-cve-feed.sh && make non-production-build"
 
 [build.environment]
 NODE_VERSION = "10.20.0"
@@ -17,13 +17,13 @@ HUGO_ENV = "production"
 HUGO_ENABLEGITINFO = "true"
 
 [context.deploy-preview]
-command = "git submodule update --init --recursive --depth 1 && make deploy-preview"
+command = "git submodule update --init --recursive --depth 1 && scripts/security/gen-cve-feed.sh && make deploy-preview"
 
 [context.branch-deploy]
-command = "git submodule update --init --recursive --depth 1 && make non-production-build"
+command = "git submodule update --init --recursive --depth 1 && scripts/security/gen-cve-feed.sh && make non-production-build"
 
 [context.main]
 # This context is triggered by the `main` branch and allows search indexing
 # DO NOT REMOVE THIS (contact @kubernetes/sig-docs-leads)
 publish = "public"
-command = "git submodule update --init --recursive --depth 1 && make production-build"
+command = "git submodule update --init --recursive --depth 1 && scripts/security/gen-cve-feed.sh && make production-build"
diff --git a/scripts/security/gen-cve-feed.sh b/scripts/security/gen-cve-feed.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+mkdir -p static/security/
+touch static/security/official-cve-feed.json
+#TODO: this will be updated with k8s-gcs-bucket
+wget -O static/security/official-cve-feed.json "https://storage.googleapis.com/fake-test-cve-feed-kep-3203/official-cve-feed.json"
