Automatically label CVE covert PRs with area/cve

[puerco]

What would you like to be added:

SIG Security has proposed a new label area/cve to mark all PRs and issues related to CVEs:
ref: kubernetes/test-infra#23428

Once this proposal merges and is enabled in all repos, we should modify the release process to stamp all pull requests in the CVE data files as area/cve when reading the vulnerability information.

Why is this needed:

Tagging the covert PRs with the new label enables downstream consumers to monitor a feed reading from the GitHub label and get a programmatic notice of vulnerabilities as soon as we cut a new release.

/cc @PushkarJ @tabbysable @justaugustus

[PushkarJ]

@puerco is this request perhaps similar to this : kubernetes/sig-security#1

[puerco]

It's an enabler for kubernetes/sig-security#1. Once we have this geature in place, you'll get the CVE pull requests automatically labeled, saving you from "Search and Identify closed issues that have a CVE ID" for any future CVE in Kubernetes. They will get tagged at release time, which is usually right after the embargo is lifted.

If you want, add this issue to your umbrella we can work SIG to SIG: we take care of working on this and contribute to your project :)

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[PushkarJ]

The initial goal for the label and the label name have significantly shifted (from all issues and PRs for CVEs to only officially announced issues for CVEs). So labelling all CVE related issues and PR from sig-release with the new label may not be useful. Instead of that the SRC issues for official CVEs are now being labelled with the new label with the update to their template: kubernetes/committee-security-response#133

Suggest that we close this for now, and revisit in future if necessary!

[puerco]

OK, so the PRs will not get the label?

[PushkarJ]

OK, so the PRs will not get the label?

Yes correct. Folks recommended that the label be used by SRC for only officially announced CVEs in k8s, not the ones let's say that we fix in images or build time deps.

[puerco]

Oh yeah, my understanding was that we were going to label the PRs that contain the fix when the CVE data got read by the release process:

kubernetes/test-infra#23428 (comment)

[tabbysable]

/close

(Please re-open if I was wrong and this still needs further discussions.)

[k8s-ci-robot]

@tabbysable: Closing this issue.

In response to this:

/close

(Please re-open if I was wrong and this still needs further discussions.)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.