Keep OSV feed data current and updated #9
Comments
|
@knqyf263 gentle ping, since you were the last to commit, and @chen-keinan since you wrote the code. I think there is a permission issue in https://github.com/kubernetes-sigs/cve-feed-osv/actions/runs/11403286917/job/31730038462 Is this code actually parsing the plain text, unstructured JSON feeds, and merging that with an NVD CVE record? It feels a bit brittle. What if the security team were to create a structured in the first place? There is a process at https://github.com/kubernetes/committee-security-response/blob/main/cna-handbook.md#populate-cve-details-after-public-disclosure that also creates a CVE JSON, and ensuring that they also provide proper version ranges and packages (or even better PURLs) would be awesome. |
|
@pombredanne thanks for the catching it up, I see that the update job is failing due to workflow bot permission, I'll have a look. |
|
@pombredanne after taking a look I see that github action can't create PRs (new CVE for review) due to org permission |
|
Thanks @chen-keinan ! Should we expect the feed to get updated soon? There doesn't seem to have been any automatic updates since #10 Regarding the feed itself, there's some other small changes required before we can start ingesting this into OSV, which @andrewpollock pointed out in google/osv.dev#281 (comment). Repeating them here:
Who would be the right point of contact for these changes? |
@oliverchang I'm working on fixing the feed update issue.
you can contact myself or @knqyf263 |
There are several reasons we chose First, Kubernetes has various distributions, such as EKS and GKE. These distributions often fix the same vulnerabilities as upstream. Since we were basing our thinking on PURLs, we thought a namespace would be a good way to represent these, like Secondly, we were also concerned about the mismatch between the Go module versioning and the Kubernetes versioning. For example, the vulnerability describes the affected versions as follows:
However, the version of cve-feed-osv/vulns/CVE-2024-3177.json Line 11 in 9760a22 Lastly, there were cases where components could not be identified from the advisory. In this case, the Go module name is unknown, but we are using the pseudo cve-feed-osv/vulns/CVE-2020-8564.json Line 11 in 9760a22 We are using the Kubernetes ecosystem because using the Go ecosystem for these advisories would be inaccurate. We could use the Go ecosystem if the OSV team has good ideas for these concerns. This project is still experimental in some aspects., and we are open to suggestions. |
|
Thanks for the context and the very detailed examples explaining this @knqyf263! This makes perfect sense to me, if the Kubernetes ecosystem has a both a different versioning and namespace from Kubernetes Go modules. Out of curiosity, do you have any pointers for how users would construct these identifiers for vulnerability scanning? e.g. how a vulnerability scanner would make use of this DB and what types of things it would be scanning? Would you be able to help with contributing a definition of the "Kubernetes" ecosystem to the OSV schema? https://ossf.github.io/osv-schema/#affectedpackage-field And also, would you be OK with prepending a "KUBE-" (or similar) ID prefix to the CVE- prefixes for all of these records, to distinguish these from non-Kubernetes sourced CVEs? i.e. |
I'm not familiar with other scanners, but I can explain how this advisory is used in Trivy, which I maintain. As general background, when Trivy finds a Go binary, it extracts the embedded information to obtain the Go main module name and its dependencies. This is equivalent to the information you get from However, this method may not work well when scanning Kubernetes components for vulnerabilities for two reasons:
For these reasons, Trivy obtains component versions through the Kubernetes API as much as possible. In the above example, we can determine that the Kubelet version is v1.27.1. We map Kubelet to To elaborate on why we treat this as a Kubernetes ecosystem: This is what @chen-keinan meant by application-level rather than library-level. We're not obtaining Go module information, but rather getting the name and version of components within Kubernetes. We considered forcing it to work with
Sure. I'll try it later.
While we have no objections to this, I'm curious about the reason for wanting to distinguish these, given that Kubernetes uses CVE-IDs, unlike vendor-specific IDs such as GHSA-ID or RHSA-ID. |
I thought your name looked familiar! Thanks for the information on how the component versions obtained and how trivy works here.
This is because OSV has a concept of a home database. The same CVE may be expressed in multiple places (e.g. NVD/CVE list, and custom advisory databases), and we need to distinguish them because the contents might be different. To do this, records typically have a custom identifier prefix. An example is https://osv.dev/vulnerability/UBUNTU-CVE-2023-25136 vs https://osv.dev/vulnerability/CVE-2023-25136, where a Linux distribution wants to publish information about a specific CVE specific to the distro. Another example is curl, who also publish OSV directly: https://osv.dev/vulnerability/CURL-CVE-2024-9681. |
Thanks for explaining. It makes sense. I opened a PR. |
It would be great to keep this CVE feed current and updated.
I discovered its existence in this discussion:
@andrewpollock (who contributes to OSV) wrote in aboutcode-org/vulnerablecode#1661 (comment)
But the repo is not in sync with the latest security feed.
For instance, as of today:
Questions:
The text was updated successfully, but these errors were encountered: