Render a page for each known K8s vulnerability using a content adapter

[sftim]

This is a Feature Request

What would you like to be added
Revise https://kubernetes.io/docs/reference/issues-security/official-cve-feed/ to have a page about each vulnerability, rendered using a content adapter.

Ideally, allow contributors to provide dedicated and specialized content for a subset of vulnerabilities, falling back to auto rendering for the remainder.

For example:

• https://kubernetes.io/docs/reference/issues-security/official-cve-feed/ is still a page about the JSON and RSS feeds that are available
• https://kubernetes.io/example/security/CVE-2019-11254 becomes a new custom page about CVE-2019-11254
  • There's advice about how to mitigate it
  • There's a stern admonition that none of the supported K8s releases have this vulnerability, and to upgrade if feasible.
• https://kubernetes.io/example/security/CVE-2021-25749 becomes a new autogenerated page about CVE-2021-25749

Why is this needed
We can provide permalinks in our comms around vulnerabilities.

Comments
/area web-development
/sig security

We would need to be using Hugo v0.126 or later.

Relevant to kubernetes/sig-security#1
Prompted by #46426 (comment)

[PushkarJ]

Included this as a feature in beta -> GA work as a graduation criteria.

/triage accepted

[PushkarJ]

Some ideas on how to implement this:

This repo https://github.com/aquasecurity/vuln-list-k8s is being migrated to k-sigs org: kubernetes/org#4873 as a community owned repo. But for the purposes of discussion let's use the repo in its current location.

Step 1: As input to content adapter we get a list of OSV JSON files from Github API: https://api.github.com/repos/aquasecurity/vuln-list-k8s/contents/upstream

Sample output:

  {
    "name": "CVE-2017-1002102.json",
    "path": "upstream/CVE-2017-1002102.json",
    "sha": "fb991a6b68caac15879c2eefebf1a72249d3ccfe",
    "size": 1466,
    "url": "https://api.github.com/repos/aquasecurity/vuln-list-k8s/contents/upstream/CVE-2017-1002102.json?ref=main",
    "html_url": "https://github.com/aquasecurity/vuln-list-k8s/blob/main/upstream/CVE-2017-1002102.json",
    "git_url": "https://api.github.com/repos/aquasecurity/vuln-list-k8s/git/blobs/fb991a6b68caac15879c2eefebf1a72249d3ccfe",
    "download_url": "https://raw.githubusercontent.com/aquasecurity/vuln-list-k8s/main/upstream/CVE-2017-1002102.json",
    "type": "file",
    "_links": {
      "self": "https://api.github.com/repos/aquasecurity/vuln-list-k8s/contents/upstream/CVE-2017-1002102.json?ref=main",
      "git": "https://api.github.com/repos/aquasecurity/vuln-list-k8s/git/blobs/fb991a6b68caac15879c2eefebf1a72249d3ccfe",
      "html": "https://github.com/aquasecurity/vuln-list-k8s/blob/main/upstream/CVE-2017-1002102.json"
    }
  }

Step 2: Iterate each file name with absolute path using the key download_url and create a new dynamic page for each CVE
Step 3: https://kubernetes.io/example/security/CVE-2021-25749.json points to the OSV format json file
Step 4: https://kubernetes.io/example/security/CVE-2021-25749 points to an auto-generated page that can be customized depending on for example whether a CVE is unfixed or not.

[jbiers]

I'm willing to dig into this this issue if no one else is meant to take it @PushkarJ @sftim

[sftim]

Help is welcome @jbiers!

[sftim]

Step 1: As input to content adapter we get a list of OSV JSON files from Github API: https://api.github.com/repos/aquasecurity/vuln-list-k8s/contents/upstream

It's much easier if the machine readable feed is one file, rather than lots. If there are lots of files, we first need a single file with a list of the individual files to pull.

We can add the OSV data in a follow-up PR.

[sftim]

Also, we'd prefer to avoid needing API tokens for GitHub as part of the site build; it adds extra friction for new contributors.

[sftim]

https://kubernetes.io/example/security/CVE-2021-25749

Shorter URLs are an option too; eg https://k8s.io/security/CVE-2021-25749 can redirect to https://kubernetes.io/example/security/CVE-2021-25749

[jbiers]

/assign

[PushkarJ]

The repository with OSV files is now migrated within k8s-sigs org: https://github.com/kubernetes-sigs/cve-feed-osv

[jbiers]

@sftim I have a question regarding the path where the CVE files should be created. Your suggestion was https://kubernetes.io/example/security/CVE-2019-11254, but as I understand currently the examples directory only contains example manifests in the form of yaml files.

My question is if it makes semantic sense to have the CVEs in this path and not somewhere like https://kubernetes.io/docs/reference/issues-security/cves/cve-2017-1002101/ or similar. If done this way, we could simply use the layouts currently used in other documentation pages, while in the /examples/ path a new one would have to be created.

Let me know if I did not make myself clear enough here 😄

[sftim]

Oh, the string example was just an example! You should pick an actual URL path that makes sense to SIG Security.

The directory you use does not not need to exist in the Git source code.

[sftim]

If you find you want a new layout, SIG Docs can help out with that.

[sftim]

@jbiers did you decide on what path you'd like the pages to have? You could pick some actual CVE IDs and document the URL that you'd like them to have, to illustrate the pattern you have in mind.

[sftim]

Help with this issue is very welcome.