Add Blog Post for KEP-3202-beta release

cailyn-codes · Cailyn Edwards · commit 17a113dba249 · 2023-03-17T09:43:09.000-04:00
diff --git a/content/en/blog/_posts/2023-03-08-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md b/content/en/blog/_posts/2023-03-08-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md
@@ -0,0 +1,68 @@
+---
+layout: blog
+title: Updates to the Auto-refreshing Official CVE Feed
+date: 2023-03-17
+slug: k8s-cve-feed-beta
+---
+
+**Authors**: Cailyn Edwards (Shopify), Pushkar Joglekar (Credit Karma), Mahé Tardy (Isovalent)
+
+Since launching the [Auto-refreshing Official CVE feed](/docs/reference/issues-security/official-cve-feed/) as an `alpha`
+feature in the 1.25 release, we have made significant improvements and updates. We are excited to announce the release of the
+`beta` version of the feed. This blog post will outline the feedback received, the changes made, and talk about what is
+planned for the `stable` release.
+
+
+## Feedback from end-users
+
+SIG Security received some feedback from end-users:
+- The JSON CVE Feed [did not comply](https://github.com/kubernetes/website/issues/36808)
+  with the [JSON Feed specification](https://www.jsonfeed.org/) as its name
+  would suggest.
+- The feed could also [support RSS](https://github.com/kubernetes/sig-security/issues/77)
+  in addition to JSON Feed format.
+- Some metadata fields could be added to indicate the freshness of
+  [the whole feed](https://github.com/kubernetes/sig-security/issues/72), or
+  [specific CVEs](https://github.com/kubernetes/sig-security/issues/63). Also
+  indicating [the Prow job](https://github.com/kubernetes/sig-security/issues/71)
+  that recently updated the feed. See more ideas directly on the
+  [the umbrella issue](https://github.com/kubernetes/sig-security/issues/1).
+- The feed markdown table on the website [should be ordered](https://github.com/kubernetes/sig-security/issues/73)
+  from the most recent to the least recently announced CVE.
+
+## Summary of changes
+
+In response, the SIG [did a rework of the script generating the JSON feed](https://github.com/kubernetes/sig-security/pull/76)
+to comply with the JSON Feed specification from generation and add a
+`last_updated` root field to indicate overall freshness. This redesign needed a
+[corresponding fix on the Kubernetes website side](https://github.com/kubernetes/website/pull/38579)
+for the CVE feed page to continue to work with the new format.
+
+After that, [RSS feed support](https://github.com/kubernetes/website/pull/39513)
+could be added transparently so that end-users can consume the feed in their
+preferred format.
+
+Overall, the redesign based on the JSON Feed specification, which this time broke
+backward compatibility, will allow updates in the future to address the rest of
+the issue while being more transparent and less disruptive to end-users.
+
+### Updates
+| **Title**                                                                                                    | **Issue**                                                       | **Status**                                                                                                                                                                                                                      |
+| ------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| CVE Feed: JSON feed should pass jsonfeed spec validator | [kubernetes/webite#36808](https://github.com/kubernetes/website/issues/36808) | closed, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) |
+| CVE Feed: Add lastUpdatedAt as a metadata field | [kubernetes/sig-security#72](https://github.com/kubernetes/sig-security/issues/72) | closed, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) |
+| Support RSS feeds by generating data in Atom format | [kubernetes/sig-security#77](https://github.com/kubernetes/sig-security/issues/77) | closed, addressed by [kubernetes/website#39513](https://github.com/kubernetes/website/pull/39513)|
+| CVE Feed: Sort Markdown Table from most recent to least recently announced CVE | [kubernetes/sig-security#73](https://github.com/kubernetes/sig-security/issues/73) | closed, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) |
+| CVE Feed: Include a timestamp field for each CVE indicating when it was last updated | [kubernetes/sig-security#63](https://github.com/kubernetes/sig-security/issues/63) | open, no PR |
+| CVE Feed: Add Prow job link as a metadata field | [kubernetes/sig-security#71](https://github.com/kubernetes/sig-security/issues/71) | open, no PR open |
+
+## What's next?
+
+In preparation to graduate this feature, SIG Security
+is still gathering feedback from end users who are using the updated beta feed.
+
+To help us continue to improve the feed in future Kubernetes Releases please share feedback by adding a comment to
+this [tracking issue](https://github.com/kubernetes/sig-security/issues/1) or
+let us know on
+[#sig-security-tooling](https://kubernetes.slack.com/archives/C01CUSVMHPY)
+Kubernetes Slack channel, join [Kubernetes Slack here](https://slack.k8s.io).
