-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New label for officially announced CVEs by SRC #23428
Conversation
/retest-required |
2b05571
to
203aabd
Compare
This would be a great label to filter on. AFAIK, we currently use cc: @kubernetes/release-engineering @kubernetes/security-response-committee @kubernetes/sig-security |
203aabd
to
9e9d2b0
Compare
Thank you @justaugustus, refactored the label now to make it available to all repos. To your point, was hoping to use |
/hold So what I don't see on https://github.com/kubernetes/community/issues/5923 is consensus on this. Has this been brought up and discussed with sig-security and the security response committee? If they are on board with the plan/label, then the other thing we'd need to do is give notice to the community. Adding this label globally will add to all repos in all orgs.. we don't want anyone to be surprised. |
@cblecker You are right, I definitely missed adding evidence of consensus between SIG Security and SRC. We discussed this in SIG Security on 07/29 and one of the action items was to get input from SRC and address any concerns. As its been a while since then, I have added this to the agenda for our next SIG Security meeting on 09/09 Also something that I did not clarify earlier, even though the label will be available for all repos, the intent is to create automation only for |
(with my sig security hat on) |
Building on this idea, I think we could even tag the actual CVE pull requests with the new label automatically from the data that the SRC hands over to release engineering every time a CVE is fixed in a patch release. I've added an issue to have Release Engineering work on this once this merges: From RelEng: |
If the plan is to use this label as input for an automated list of Kubernetes CVEs, then we should try to keep it constrained (at least on the issue side) to only the "official" CVE issues that get linked from the announcements / CVE reference. Alternatively, I could also see this used to track follow up requests (e.g. kubernetes/kubernetes#95086). Either would be useful, but we should be clear on the expectations. A related question: the SRC sometimes handles things that are security incidents but not CVEs. These don't usually get filed as issues on k/k, but if there was an issue filed would you expect it to be labeled with |
I'm unfamiliar with what's available in GitHub - is there a way to restrict who can apply a label? Agreed that it would be good to restrict it to prevent accidental pollution of the search results if we're using it to catalog the CVE issues. Perhaps to the robot + SRC? I think labeling the non-CVE issue disclosures with area/cve would be good, despite it not quite matching up to the name (or it could be area/vuln, area/security-advisory, or something like that if we really wanted it to be strictly correct in its name) |
@tallclair : yes that is the plan and agree on scoping to the ones officially announced as CVEs from SRC
@tabbysable: My suggestion would be to continue to use area/security for any issue that does not fix a vulnerability which has been given a CVE identifier by SRC (i.e. the scope above) EDIT: Sorry for not previewing my message earlier |
@tabbysable : Yes agree that we should restrict who can put this label. It seems like the labels can be authorized based on different kinds of membership as per this doc
I will dig more to find out how to exactly achieve this. But wanted to put this out in case anyone exactly knows how to do this. |
9e9d2b0
to
4c4c4bd
Compare
@tabbysable , @tallclair Good news!! Thanks to pointers from @alvaroaleman (Links for which are now added in the PR description) found a way to add a label based on Github memberships. New commit which also passed all the checks, does the following changes:
@puerco for kubernetes/release#2264 you may need to add a team from release engg. to allow it to auto-label in-scope Issues |
/assign tabbysable tallclair For |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the follow-up!
Do we also need to reconfigure the label plugin? See https://github.com/kubernetes/test-infra/pull/24058/files for an example. |
@sftim Looking at this block of code, it seems like additional labels is a separately handled from restricted labels: https://github.com/alvaroaleman/test-infra/blob/c37ab31c679b722b9371dfff87017db343f8bb17/prow/plugins/label/label.go#L169-L178 Example usage of restricted labels also does not seem to need additional labels yaml block here: https://github.com/openshift/release/blob/7bb7822854861b87d30c9c09c77c77b33b5dfafe/core-services/prow/02_config/openshift/cluster-baremetal-operator/_pluginconfig.yaml#L6-L13 Let me know if I am missing something or if I misunderstood the way labels are being managed by the plugin |
- Currently, it is not possible to filter for issues and PRs that are related to CVEs found in Kubernetes - It will allow filtering and automation to create a CVE feed for Kubernetes - This is a restricted label that can be added by SRC and Tooling Lead - Limited to k/k repo for clarity of scope
797525a
to
a20433b
Compare
/label tide/merge-method-squash |
@cblecker : The new changes have addressed the concerns raised here: #23428 (comment) to remove
Happy to hear any additional concerns or questions that still need addressing. Thank you for asking to do this due diligence. I believe we have a well thought out labelling process because of it now. /assign @cblecker |
/lgtm @PushkarJ Thanks so much for jumping through the hoops! Glad we were able to figure out a great solution for this :) |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cblecker, PushkarJ The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@PushkarJ: Updated the following 2 configmaps:
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This PR adds a new label
official-cve-feed
for CVEs announced by SRCk/k
repo for clarity of scopeRelated Issues and PRs:
/sig contribex security
/cc @kubernetes/sig-contributor-experience-pr-reviews