generated from kubernetes/kubernetes-template-project
-
Notifications
You must be signed in to change notification settings - Fork 60
/
fetch-official-cve-feed.py
executable file
·102 lines (92 loc) · 4.48 KB
/
fetch-official-cve-feed.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
#!/usr/bin/env python3
# Copyright 2022 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import json
import requests
from datetime import datetime
def getCVEStatus(state, state_reason):
if state == "open":
if state_reason == "reopened":
return "unknown"
return "open"
if state == "closed":
if state_reason == "not_planned":
return "unfixed"
if state_reason == "completed":
return "fixed"
url = 'https://api.github.com/search/issues?q=is:issue+label:official-cve-feed+\
repo:kubernetes/kubernetes&per_page=100'
headers = {'Accept': 'application/vnd.github.v3+json'}
res = requests.get(url, headers=headers)
gh_items = res.json()['items']
# Use link header to iterate over pages
# https://docs.github.com/en/rest/overview/resources-in-the-rest-api#pagination
# https://datatracker.ietf.org/doc/html/rfc5988
# Please note that if there is a great number of pages, this unauthenticated
# request may be subject to rate limits and fail.
# https://docs.github.com/en/rest/overview/resources-in-the-rest-api#rate-limiting
while 'next' in res.links:
res = requests.get(res.links['next']['url'], headers=headers)
gh_items.extend(res.json()['items'])
feed_envelope = {
'version': 'https://jsonfeed.org/version/1.1',
'title': 'Kubernetes Vulnerability Announcements - CVE Feed',
'home_page_url': 'https://kubernetes.io',
'feed_url': 'https://kubernetes.io/docs/reference/issues-security/official-cve-feed/index.json',
'description': 'Auto-refreshing official CVE feed for Kubernetes repository',
'authors': [
{
'name': 'Kubernetes Community',
'url': 'https://www.kubernetes.dev'
}
],
'_kubernetes_io': None,
'items': None,
}
# format the timestamp the same way as GitHub RFC 3339 timestamps, with only seconds and not milli and microseconds.
root_kubernetes_io = {'feed_refresh_job': 'https://testgrid.k8s.io/sig-security-cve-feed#auto-refreshing-official-cve-feed',
'updated_at': datetime.utcnow().isoformat(sep='T', timespec='seconds') + 'Z'}
feed_envelope['_kubernetes_io'] = root_kubernetes_io
cve_list = []
for item in gh_items:
# These keys respects the item jsonfeed spec https://www.jsonfeed.org/version/1.1/
cve = {'content_text': None, 'date_published': None, 'external_url': None,
'id': None,'summary': None, 'url': None, '_kubernetes_io': None}
# This is a custom extension
item_kubernetes_io = {'google_group_url': None, 'issue_number': None}
cve['_kubernetes_io'] = item_kubernetes_io
cve['url'] = item['html_url']
cve['_kubernetes_io']['issue_number'] = item['number']
cve['content_text'] = item['body']
cve['date_published'] = item['created_at']
cve['status'] = getCVEStatus(item['state'], item['state_reason'])
# This is because some CVEs were titled "CVE-XXXX-XXXX - Something" instead of
# "CVE-XXXX-XXXX: Something" on GitHub (see https://github.com/kubernetes/kubernetes/issues/60813).
title = item['title'].replace(' -', ':')
# This splits the CVE into its ID and the description/name, however some are in the following forms:
# - CVE-2019-11245: v1.14.2, v1.13.6: container uid [...] (see https://github.com/kubernetes/kubernetes/issues/78308)
# - CVE-2019-11250: TOB-K8S-001: Bearer tokens [...] (see https://github.com/kubernetes/kubernetes/issues/81114)
# We don't know if there are going to be version numbers and/or vendor IDs but the description should be last.
title = title.split(': ')
if len(title) > 0:
cve['summary'] = title[-1]
if len(title) > 1:
cve_id = title[0]
cve['id'] = cve_id
cve['external_url'] = f'https://www.cve.org/cverecord?id={cve_id}'
cve['_kubernetes_io']['google_group_url'] = f'https://groups.google.com/g/kubernetes-announce/search?q={cve_id}'
cve_list.append(cve)
feed_envelope['items'] = cve_list
json_feed = json.dumps(feed_envelope, sort_keys=False, indent=4)
print(json_feed)