New label for officially announced CVE (#23428)

- Currently, it is not possible to filter for issues and PRs that are related to CVEs found in Kubernetes - It will allow filtering and automation to create a CVE feed for Kubernetes - This is a restricted label that can be added by SRC and Tooling Lead - Limited to k/k repo for clarity of scope
kubernetes · Dec 1, 2021 · 5f63b9f · 5f63b9f
1 parent 885e4a1
commit 5f63b9f
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 0 deletions.
diff --git a/config/prow/plugins.yaml b/config/prow/plugins.yaml
@@ -132,6 +132,18 @@ label:
     # This label, for k/website, identifies PRs with large refactoring changes
     - refactor
 
+  restricted_labels:
+    kubernetes/kubernetes:
+        # Security Response Committee (SRC) is allowed to add this label, 
+        # to new and existing GitHub Issues and PRs that announce a fixed CVE triaged by SRC
+      - allowed_teams:
+          - security-response-committee
+        # SIG Security Tooling Lead is an allowed user to assist SRC in this CVE feed automation  
+        allowed_users:
+          - pushkarj
+        # This label is used to filter/tag CVEs announced by SRC
+        label: official-cve-feed
+
 lgtm:
 - repos:
   - bazelbuild

diff --git a/label_sync/labels.md b/label_sync/labels.md
@@ -385,6 +385,7 @@ larger set of contributors to apply/remove them.
 | <a id="area/network-policy" href="#area/network-policy">`area/network-policy`</a> | Issues or PRs related to Network Policy subproject| label | |
 | <a id="area/release-eng" href="#area/release-eng">`area/release-eng`</a> | Issues or PRs related to the Release Engineering subproject <br><br> This was previously `area/release-infra`, | label | |
 | <a id="deprecated/hyperkube" href="#deprecated/hyperkube">`deprecated/hyperkube`</a> | Issues or PRs related to the hyperkube subproject <br><br> This was previously `area/hyperkube`, | label | |
+| <a id="official-cve-feed" href="#official-cve-feed">`official-cve-feed`</a> | Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)| anyone |  [label](https://git.k8s.io/test-infra/prow/plugins/label) |
 
 ## Labels that apply to kubernetes/kubernetes, only for issues
 

diff --git a/label_sync/labels.yaml b/label_sync/labels.yaml
@@ -1136,6 +1136,12 @@ repos:
         target: prs
         prowPlugin: require-matching-label
         addedBy: prow
+      - color: 0052cc
+        description: Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)
+        name: official-cve-feed
+        target: both
+        prowPlugin: label
+        addedBy: anyone
 
   kubernetes/org:
     labels: