New label for officially announced CVEs by SRC #23428
Conversation
k8s-ci-robot
added
sig/contributor-experience
|
/retest-required |
PushkarJ
force-pushed
the
new-label-cves
branch
2 times, most recently
from
2b05571 to
203aabd
Compare
|
This would be a great label to filter on. AFAIK, we currently use cc: @kubernetes/release-engineering @kubernetes/security-response-committee @kubernetes/sig-security |
PushkarJ
force-pushed
the
new-label-cves
branch
from
203aabd to
9e9d2b0
Compare
Thank you @justaugustus, refactored the label now to make it available to all repos. To your point, was hoping to use |
|
/hold So what I don't see on https://github.com/kubernetes/community/issues/5923 is consensus on this. Has this been brought up and discussed with sig-security and the security response committee? If they are on board with the plan/label, then the other thing we'd need to do is give notice to the community. Adding this label globally will add to all repos in all orgs.. we don't want anyone to be surprised. |
k8s-ci-robot
added
the
do-not-merge/hold
|
@cblecker You are right, I definitely missed adding evidence of consensus between SIG Security and SRC. We discussed this in SIG Security on 07/29 and one of the action items was to get input from SRC and address any concerns. As its been a while since then, I have added this to the agenda for our next SIG Security meeting on 09/09 Also something that I did not clarify earlier, even though the label will be available for all repos, the intent is to create automation only for |
|
(with my sig security hat on) |
k8s-ci-robot
added
the
lgtm
|
Building on this idea, I think we could even tag the actual CVE pull requests with the new label automatically from the data that the SRC hands over to release engineering every time a CVE is fixed in a patch release. I've added an issue to have Release Engineering work on this once this merges: From RelEng: |
|
If the plan is to use this label as input for an automated list of Kubernetes CVEs, then we should try to keep it constrained (at least on the issue side) to only the "official" CVE issues that get linked from the announcements / CVE reference. Alternatively, I could also see this used to track follow up requests (e.g. kubernetes/kubernetes#95086). Either would be useful, but we should be clear on the expectations. A related question: the SRC sometimes handles things that are security incidents but not CVEs. These don't usually get filed as issues on k/k, but if there was an issue filed would you expect it to be labeled with |
|
I'm unfamiliar with what's available in GitHub - is there a way to restrict who can apply a label? Agreed that it would be good to restrict it to prevent accidental pollution of the search results if we're using it to catalog the CVE issues. Perhaps to the robot + SRC? I think labeling the non-CVE issue disclosures with area/cve would be good, despite it not quite matching up to the name (or it could be area/vuln, area/security-advisory, or something like that if we really wanted it to be strictly correct in its name) |
@tallclair : yes that is the plan and agree on scoping to the ones officially announced as CVEs from SRC
@tabbysable: My suggestion would be to continue to use area/security for any issue that does not fix a vulnerability which has been given a CVE identifier by SRC (i.e. the scope above) EDIT: Sorry for not previewing my message earlier |
@tabbysable : Yes agree that we should restrict who can put this label. It seems like the labels can be authorized based on different kinds of membership as per this doc
I will dig more to find out how to exactly achieve this. But wanted to put this out in case anyone exactly knows how to do this. |
PushkarJ
changed the title
PushkarJ
force-pushed
the
new-label-cves
branch
from
9e9d2b0 to
4c4c4bd
Compare
k8s-ci-robot
added
size/S
|
@tabbysable , @tallclair Good news!! Thanks to pointers from @alvaroaleman (Links for which are now added in the PR description) found a way to add a label based on Github memberships. New commit which also passed all the checks, does the following changes:
@puerco for kubernetes/release#2264 you may need to add a team from release engg. to allow it to auto-label in-scope Issues |
|
/assign tabbysable tallclair For |
|
Do we also need to reconfigure the label plugin? See https://github.com/kubernetes/test-infra/pull/24058/files for an example. |
@sftim Looking at this block of code, it seems like additional labels is a separately handled from restricted labels: https://github.com/alvaroaleman/test-infra/blob/c37ab31c679b722b9371dfff87017db343f8bb17/prow/plugins/label/label.go#L169-L178 Example usage of restricted labels also does not seem to need additional labels yaml block here: https://github.com/openshift/release/blob/7bb7822854861b87d30c9c09c77c77b33b5dfafe/core-services/prow/02_config/openshift/cluster-baremetal-operator/_pluginconfig.yaml#L6-L13 Let me know if I am missing something or if I misunderstood the way labels are being managed by the plugin |
- Currently, it is not possible to filter for issues and PRs that are related to CVEs found in Kubernetes - It will allow filtering and automation to create a CVE feed for Kubernetes - This is a restricted label that can be added by SRC and Tooling Lead - Limited to k/k repo for clarity of scope
PushkarJ
force-pushed
the
new-label-cves
branch
from
797525a to
a20433b
Compare
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
removed
the
needs-rebase
|
/label tide/merge-method-squash |
k8s-ci-robot
added
the
tide/merge-method-squash
|
@cblecker : The new changes have addressed the concerns raised here: #23428 (comment) to remove
Happy to hear any additional concerns or questions that still need addressing. Thank you for asking to do this due diligence. I believe we have a well thought out labelling process because of it now. /assign @cblecker |
|
/lgtm @PushkarJ Thanks so much for jumping through the hoops! Glad we were able to figure out a great solution for this :) |
k8s-ci-robot
added
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cblecker, PushkarJ The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
@PushkarJ: Updated the following 2 configmaps:
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This PR adds a new label
official-cve-feedfor CVEs announced by SRCk/krepo for clarity of scopeRelated Issues and PRs:
/sig contribex security
/cc @kubernetes/sig-contributor-experience-pr-reviews