From a20433bf235bd7d6fd997b6fcc61c4850228e605 Mon Sep 17 00:00:00 2001
From: Pushkar Joglekar <pjoglekar@vmware.com>
Date: Tue, 31 Aug 2021 15:43:05 -0700
Subject: [PATCH] New label for officially announced CVE

- Currently, it is not possible to filter for
  issues and PRs that are related to CVEs found
  in Kubernetes

- It will allow filtering and automation to create
  a CVE feed for Kubernetes

- This is a restricted label that can be added by SRC
  and Tooling Lead

- Limited to k/k repo for clarity of scope
---
 config/prow/plugins.yaml | 12 +++++++++++-
 label_sync/labels.md     |  1 +
 label_sync/labels.yaml   |  6 ++++++
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/config/prow/plugins.yaml b/config/prow/plugins.yaml
index c28527fe5fae..3f9a0ab7dc7d 100644
--- a/config/prow/plugins.yaml
+++ b/config/prow/plugins.yaml
@@ -129,7 +129,17 @@ label:
     - tide/merge-method-squash
     # This label, for k/website, identifies issues relevant to https://katacoda.com/
     - team/katacoda
-
+  restricted_labels:
+    kubernetes/kubernetes:
+        # Security Response Committee (SRC) is allowed to add this label, 
+        # to new and existing GitHub Issues and PRs that announce a fixed CVE triaged by SRC
+      - allowed_teams:
+          - security-response-committee
+        # SIG Security Tooling Lead is an allowed user to assist SRC in this CVE feed automation  
+        allowed_users:
+          - pushkarj
+        # This label is used to filter/tag CVEs announced by SRC
+        label: official-cve-feed
 lgtm:
 - repos:
   - bazelbuild
diff --git a/label_sync/labels.md b/label_sync/labels.md
index 4aac610fcb10..69544f1b7d1e 100644
--- a/label_sync/labels.md
+++ b/label_sync/labels.md
@@ -383,6 +383,7 @@ larger set of contributors to apply/remove them.
 | <a id="area/network-policy" href="#area/network-policy">`area/network-policy`</a> | Issues or PRs related to Network Policy subproject| label | |
 | <a id="area/release-eng" href="#area/release-eng">`area/release-eng`</a> | Issues or PRs related to the Release Engineering subproject <br><br> This was previously `area/release-infra`, | label | |
 | <a id="deprecated/hyperkube" href="#deprecated/hyperkube">`deprecated/hyperkube`</a> | Issues or PRs related to the hyperkube subproject <br><br> This was previously `area/hyperkube`, | label | |
+| <a id="official-cve-feed" href="#official-cve-feed">`official-cve-feed`</a> | Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)| anyone |  [label](https://git.k8s.io/test-infra/prow/plugins/label) |
 
 ## Labels that apply to kubernetes/kubernetes, only for issues
 
diff --git a/label_sync/labels.yaml b/label_sync/labels.yaml
index ea2bae70268c..c634cfee1ae9 100644
--- a/label_sync/labels.yaml
+++ b/label_sync/labels.yaml
@@ -1136,6 +1136,12 @@ repos:
         target: prs
         prowPlugin: require-matching-label
         addedBy: prow
+      - color: 0052cc
+        description: Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)
+        name: official-cve-feed
+        target: both
+        prowPlugin: label
+        addedBy: anyone
 
   kubernetes/org:
     labels: