Add CVE Information to Release Notes

[puerco]

What type of PR is this?

/kind design

What this PR does / why we need it:

This PR introduces a minor change to the release notes template to add a security section with CVE data read from a map file (see #1373).

This is a WIP intended to discuss the way the information will look like when presented in the release notes document.

When applied, this test will add a new section to the release notes markdown output with information added from a CVE map. A sample of the output can be viewed here.

Tests are not included, they will be written and added to this PR once we settle on a design.

Which issue(s) this PR fixes:

Related to #1373 and kubernetes/enhancements#1833
Closes #1354

Special notes for your reviewer:

/hold for final design, tests and until #1373 merges

Does this PR introduce a user-facing change?

* Release notes libraries will now recognize CVE information in the `datafields` section of the release notes map files.
* Add CVE vulnerability info to template.go to be rendered when a map defines a `cve` section

[justaugustus]

/retest

[justaugustus]

@kubernetes/release-engineering -- please review!

[saschagrunert]

/lgtm

[cpanato]

/lgtm

[xmudrii]

/lgtm

[tpepper]

/lgtm

[justaugustus]

@kubernetes/product-security-committee for review as well

[tallclair]

What are Rating and Score? Is this referring to the severity bucket, and the numerical severity rating?
If so, we usually format those like:

Severity: Medium (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H)

If you don't want to include the full CVSS rating, you could just put the numeric score in parentheses.

[puerco]

OK, I've modified the template to report following your suggestion. Added a new field for the vector too.

[tallclair]

I would prefer to just link to the tracking issue (e.g. kubernetes/kubernetes#92914) rather than the specific PRs. The tracking issue should have all the detail needed, and is generally what we consider the source of truth for vulnerability details.

[puerco]

👍 I've dropped the PRs from the output in favor of a new link to the tracking issue

[tallclair]

I would like the CVE number to be included in the title, e.g. CVE-2020-8559: Privilege escalation from compromised node to cluster

I'm not sure if we just want to make it convention to set the title like that, or explicitly break the CVE into a separate field.

[puerco]

Done 👍

[saschagrunert]

@puerco are you still working on this or do you need help to carry it over the finishing line?

[puerco]

Are you planning to work on this or should we move the topic back into the open discussion?

Yes I'll retake this now as my secondary work.

[puerco]

OK, Ive modified the CVE data structure and the output format to better reflect @tallclair 's suggestions. Here's a sample of the output. And the corresponding map to generate:

---
pr: 97407
datafields:
  cve:
    id: CVE-2020-8559
    vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
    rating: Medium
    score: 6.4
    title: Privilege escalation from compromised node to cluster
    issue: https://github.com/kubernetes/kubernetes/issues/92914
    issues:
      - 92941
      - 92969
      - 92970
      - 92971
    description: >
      If an attacker is able to intercept certain requests to the Kubelet, they
      can send a redirect response that may be followed by a client using the
      credentials from the original request. This can lead to compromise of
      other nodes.
      
      If multiple clusters share the same certificate authority trusted by the
      client, and the same authentication credentials, this vulnerability may
      allow an attacker to redirect the client to another cluster. In this
      configuration, this vulnerability should be considered High severity.

[tpepper]

Typo -> Invalid

[puerco]

✔️ Thanks!

[justaugustus]

cc: @kubernetes/sig-security

[tpepper]

Looks like good start, but suggest stricter validation. Since this is a critical bit of text in the notes, it is important to rigorously enforce the data is well formatted for the readers.

[tpepper]

I can see the new TrackingIssue perhaps being empty, but can't tell if that's intended. A couple changes to consider depending on if it is required or not

• in notes.go CVEData comment the TrackingIssue as "Optional link to the vulnerability tracking issues"
• add a validator here to require it to be non-empty (or set it to "n/a"?)
• conditionally print the "Tracking Issue: {{.TrackingIssue}}" portion of the template only if non-empty

[puerco]

I've modified it to make the field optional. Once it is in use we can decide if we enforce it.

[tpepper]

Should this validate more that the id is of the expected form for a CVE?

[puerco]

✔️ Added a basic regexp validation

[tpepper]

Should validate versus the known range of 0..10.

[tpepper]

Is there a library that can validate the form is the expected CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H sort of form?

[puerco]

I'm trying this one and seems to do the job just fine: https://github.com/spiegel-im-spiegel/go-cvss

[puerco]

I've addressed @tpepper 's remarks and added a small test for the CVE data validation function.

[puerco]

/test pull-release-verify

[tpepper]

Update lgtm.

[saschagrunert]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cpanato, puerco, saschagrunert, xmudrii

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [cpanato,puerco,saschagrunert,xmudrii]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[saschagrunert]

/hold cancel