CVE feed doesn't include some vulnerabilities for in-project code

[evgenymo]

Hi,

I don't see CVE-2023-5043 or CVE-2023-5044 on the list of CVEs.

[k8s-ci-robot]

This issue is currently awaiting triage.

SIG Docs takes a lead on issue triage for this website, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sftim]

This is about https://kubernetes.io/docs/reference/issues-security/official-cve-feed/ and the feeds it links to.

/sig security

[sftim]

The CVE feed lists vulnerabilities in Kubernetes' core. I don't think we make that as clear as we could.

[sftim]

/retitle CVE feed doesn't include some vulnerabilities for in-project code

[a-mccarthy]

@sftim can you clarify here if there is anything actionable on this issue now? or is work dependent on the outcome of the k/k issue you created?

[sftim]

The people working on the KEP could take steps to ensure the upstream feed includes more data; you can't fix this purely by committing to k/website.

However, there's more than one route forward here.

[PushkarJ]

Thanks for the tag @sftim

/priority important-long-term

[k8s-ci-robot]

@PushkarJ: The label(s) priority/important-long-term cannot be applied, because the repository doesn't have them.

In response to this:

Thanks for the tag @sftim

/priority important-long-term

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[PushkarJ]

Including CVEs outside of k8s core is not in scope at the moment for GA. If this is useful for the community, I would welcome folks to chat with the group who maintains the CVE feed on #sig-security-tooling (Invite yourself from here: https://slack.k8s.io/) and share their intent to contribute to make this happen.

/priority important-longterm