Publish CVE issue status in JSON CVE feed

[sftim]

This came out of a SIG Security meeting and builds on issue #97

For https://kubernetes.io/docs/reference/issues-security/official-cve-feed/, people reading the site want to find out what's there.

There are different views on what behavior feels right to end users.
@PushkarJ explained the current (at time of writing) behavior is to only list resolved issues; “resolved” means a fix is published.
@IanColdwater gave some context from other projects, some of which only publish CVEs once a fix is available. They mentioned Ubuntu where CVE issues have tags (tracked per release) - https://ubuntu.com/security/cves

This issue is a feature request to add more data to the CVE feed (not the rendered HTML) to show whether the Kubernetes project sees the CVE as:

• open
• not planned
• closed

(conveniently and by intent, we can derive these from GitHub's issues API)

For adding open issues into the rendered HTML CVE feed, see #97

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[PushkarJ]

This is planned to be done as part of beta to GA

/remove-lifecycle rotten

/remove-lifecycle stale

[PushkarJ]

/remove-lifecycle rotten

[PushkarJ]

Did some quick analysis. So wanted to share this here in preparation of implementing this:

REST API: https://docs.github.com/en/rest/issues/issues?apiVersion=2022-11-28#get-an-issue
Field of interest: state (open / closed) state_reason
Possible values for state_reason: completed, not_planned, reopened, null

Actual values we want to translate them into for CVE Status:

state == open -- > "open"
state == closed, state_reason == completed --> "fixed"
state == closed, state_reason == not_planned --> "unfixed"
state == open, state_reason == "reopened" --> "unknown"

Example:

personal-macbook:~ pushkarj$ curl -L   -H "Accept: application/vnd.github+json"    -H "X-GitHub-Api-Version: 2022-11-28"   https://api.github.com/repos/kubernetes/kubernetes/issues/124759
{
  "url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759",
  "repository_url": "https://api.github.com/repos/kubernetes/kubernetes",
  "labels_url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759/labels{/name}",
  "comments_url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759/comments",
  "events_url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759/events",
  "html_url": "https://github.com/kubernetes/kubernetes/issues/124759",
  "id": 2285943659,
  "node_id": "I_kwDOAToIks6IQLtr",
  "number": 124759,
  "title": "CVE-2024-3744: azure-file-csi-driver discloses service account tokens in logs",
  "user": {
    "login": "ritazh",
    "id": 1856066,
    "node_id": "MDQ6VXNlcjE4NTYwNjY=",
    "avatar_url": "https://avatars.githubusercontent.com/u/1856066?v=4",
    "gravatar_id": "",
    "url": "https://api.github.com/users/ritazh",
    "html_url": "https://github.com/ritazh",
    "followers_url": "https://api.github.com/users/ritazh/followers",
    "following_url": "https://api.github.com/users/ritazh/following{/other_user}",
    "gists_url": "https://api.github.com/users/ritazh/gists{/gist_id}",
    "starred_url": "https://api.github.com/users/ritazh/starred{/owner}{/repo}",
    "subscriptions_url": "https://api.github.com/users/ritazh/subscriptions",
    "organizations_url": "https://api.github.com/users/ritazh/orgs",
    "repos_url": "https://api.github.com/users/ritazh/repos",
    "events_url": "https://api.github.com/users/ritazh/events{/privacy}",
    "received_events_url": "https://api.github.com/users/ritazh/received_events",
    "type": "User",
    "site_admin": false
  },
  "labels": [
    {
      "id": 105146071,
      "node_id": "MDU6TGFiZWwxMDUxNDYwNzE=",
      "url": "https://api.github.com/repos/kubernetes/kubernetes/labels/kind/bug",
      "name": "kind/bug",
      "color": "e11d21",
      "default": false,
      "description": "Categorizes issue or PR as related to a bug."
    },
    {
      "id": 116712923,
      "node_id": "MDU6TGFiZWwxMTY3MTI5MjM=",
      "url": "https://api.github.com/repos/kubernetes/kubernetes/labels/area/security",
      "name": "area/security",
      "color": "d93f0b",
      "default": false,
      "description": null
    },
    {
      "id": 357119284,
      "node_id": "MDU6TGFiZWwzNTcxMTkyODQ=",
      "url": "https://api.github.com/repos/kubernetes/kubernetes/labels/sig/auth",
      "name": "sig/auth",
      "color": "d2b48c",
      "default": false,
      "description": "Categorizes an issue or PR as relevant to SIG Auth."
    },
    {
      "id": 778118403,
      "node_id": "MDU6TGFiZWw3NzgxMTg0MDM=",
      "url": "https://api.github.com/repos/kubernetes/kubernetes/labels/lifecycle/frozen",
      "name": "lifecycle/frozen",
      "color": "d3e2f0",
      "default": false,
      "description": "Indicates that an issue or PR should not be auto-closed due to staleness."
    },
    {
      "id": 1199275492,
      "node_id": "MDU6TGFiZWwxMTk5Mjc1NDky",
      "url": "https://api.github.com/repos/kubernetes/kubernetes/labels/committee/security-response",
      "name": "committee/security-response",
      "color": "c0ff4a",
      "default": false,
      "description": "Denotes an issue or PR intended to be handled by the product security committee."
    },
    {
      "id": 2389856656,
      "node_id": "MDU6TGFiZWwyMzg5ODU2NjU2",
      "url": "https://api.github.com/repos/kubernetes/kubernetes/labels/triage/accepted",
      "name": "triage/accepted",
      "color": "8fc951",
      "default": false,
      "description": "Indicates an issue or PR is ready to be actively worked on."
    },
    {
      "id": 3603068678,
      "node_id": "LA_kwDOAToIks7WwncG",
      "url": "https://api.github.com/repos/kubernetes/kubernetes/labels/official-cve-feed",
      "name": "official-cve-feed",
      "color": "0052cc",
      "default": false,
      "description": "Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)"
    }
  ],
  "state": "closed",
  "locked": false,
  "assignee": null,
  "assignees": [

  ],
  "milestone": null,
  "comments": 1,
  "created_at": "2024-05-08T16:02:57Z",
  "updated_at": "2024-05-15T00:45:12Z",
  "closed_at": "2024-05-15T00:45:12Z",
  "author_association": "MEMBER",
  "active_lock_reason": null,
  "body": "CVSS Rating: [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) - **MEDIUM** (6.5)\r\n\r\nA security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions.  Tokens are only logged when [TokenRequests is configured in the CSIDriver object](https://kubernetes-csi.github.io/docs/token-requests.html) and the driver is set to run at log level 2 or greater via the -v flag.\r\n\r\nThis issue has been rated **MEDIUM** [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) (6.5), and assigned **CVE-2024-3744**\r\n\r\n### Am I vulnerable?\r\n\r\nYou may be vulnerable if [TokenRequests is configured in the CSIDriver object](https://kubernetes-csi.github.io/docs/token-requests.html) and the driver is set to run at log level 2 or greater via the -v flag.\r\n\r\nTo check if token requests are configured, run the following command:\r\n\r\nkubectl get csidriver file.csi.azure.com -o jsonpath=\"{.spec.tokenRequests}\"\r\n\r\nTo check if tokens are being logged, examine the secrets-store container log:\r\n\r\nkubectl logs csi-azurefile-controller-56bfddd689-dh5tk -c azurefile -f | grep --line-buffered \"csi.storage.k8s.io/serviceAccount.tokens\"\r\n\r\n#### Affected Versions\r\n\r\n- azure-file-csi-driver <= v1.29.3\r\n- azure-file-csi-driver v1.30.0\r\n\r\n### How do I mitigate this vulnerability?\r\n\r\nPrior to upgrading, this vulnerability can be mitigated by running azure-file-csi-driver at log level 0 or 1 via the -v flag.\r\n\r\n#### Fixed Versions\r\n\r\n- azure-file-csi-driver v1.29.4\r\n- azure-file-csi-driver v1.30.1\r\n\r\nTo upgrade, refer to the documentation: https://github.com/kubernetes-sigs/azurefile-csi-driver?tab=readme-ov-file#install-driver-on-a-kubernetes-cluster \r\n\r\n### Detection\r\n\r\nExamine cloud provider logs for unexpected token exchanges, as well as unexpected access to cloud resources.\r\n\r\nIf you find evidence that this vulnerability has been exploited, please contact [email protected]\r\n\r\n#### Acknowledgements\r\n\r\nThis vulnerability was patched by Weizhi Chen @cvvz from Microsoft.\r\n\r\nThank You,\r\nRita Zhang on behalf of the Kubernetes Security Response Committee\r\n\r\n/triage accepted\r\n/lifecycle frozen\r\n/area security\r\n/kind bug\r\n/committee security-response",
  "closed_by": {
    "login": "ritazh",
    "id": 1856066,
    "node_id": "MDQ6VXNlcjE4NTYwNjY=",
    "avatar_url": "https://avatars.githubusercontent.com/u/1856066?v=4",
    "gravatar_id": "",
    "url": "https://api.github.com/users/ritazh",
    "html_url": "https://github.com/ritazh",
    "followers_url": "https://api.github.com/users/ritazh/followers",
    "following_url": "https://api.github.com/users/ritazh/following{/other_user}",
    "gists_url": "https://api.github.com/users/ritazh/gists{/gist_id}",
    "starred_url": "https://api.github.com/users/ritazh/starred{/owner}{/repo}",
    "subscriptions_url": "https://api.github.com/users/ritazh/subscriptions",
    "organizations_url": "https://api.github.com/users/ritazh/orgs",
    "repos_url": "https://api.github.com/users/ritazh/repos",
    "events_url": "https://api.github.com/users/ritazh/events{/privacy}",
    "received_events_url": "https://api.github.com/users/ritazh/received_events",
    "type": "User",
    "site_admin": false
  },
  "reactions": {
    "url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759/reactions",
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
  },
  "timeline_url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759/timeline",
  "performed_via_github_app": null,
  "state_reason": "completed"
}

[jbiers]

@PushkarJ is this issue waiting for contributions? I'm interested in getting involved in the sig-security :)

[PushkarJ]

Hi @jbiers yes please. We would love any help you can offer on this! Feel free tag me with questions here or in #sig-security-tooling

[jbiers]

/assign

[jbiers]

New status field was included in the PR mentioned above.
This field is being exported into the JSON feed by default since it automatically includes all fields.

kubernetes/website#46996 by @sftim added different styling based on the CVE status to the rendered HTML.
kubernetes/website#47000 by myself includes the new field in the RSS feed.

Should we close this issue as completed or any extra steps are needed?

[PushkarJ]

Thank you so much for excellent progress on this @jbiers especially swiftly updating RSS feed and @sftim for setting the unfixed CVEs as bold.

Looking at the preview on my phone I don't see any currently listed CVEs in bold. Does that mean existing list does not have any unfixed CVEs? (I am also looking at this from my phone, so not sure if that matters)

[sftim]

Yes, we don't have any vulnerabilities announced but with no published fix (this is typical / normal).

See kubernetes/website#46996 for hints about how to preview if you have a desktop-type browser available.

[PushkarJ]

Ok thanks for confirmation. With this in place I will add a few that are unfixed in next few days and see what happens.

I believe the only thing remaining to close this and mark it as resolved is the PR merge that fixes kubernetes/website#47003 I left a small comment on the issue to discuss potential notifications of old CVEs.

[PushkarJ]

On second thoughts kubernetes/website#47003 is unrelated to translating issue status to CVE status so we can mark this as complete.

Thank you so much for working on this @jbiers !! We really appreciate you putting in the work and showing up :)

/close

[k8s-ci-robot]

@PushkarJ: Closing this issue.

In response to this:

On second thoughts kubernetes/website#47003 is unrelated to translating issue status to CVE status so we can mark this as complete.

Thank you so much for working on this @jbiers !! We really appreciate you putting in the work and showing up :)

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.