generate cve issues table using hugo #31051
Conversation
Signed-off-by: Neha Lohia <[email protected]>
k8s-ci-robot
added
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
language/en
nehaLohia27
changed the title
|
cc @PushkarJ |
k8s-ci-robot
added
the
do-not-merge/work-in-progress
| <th>CVE ID</th> | ||
| <th>Summary</th> | ||
| <th>Issue Details</th> |
There was a problem hiding this comment.
We should use localizable strings here.
| @@ -0,0 +1,18 @@ | |||
| <table> | |||
There was a problem hiding this comment.
If we can add a caption, that's helpful for accessibility.
There was a problem hiding this comment.
Also consider setting a class, eg <table class="security-cves">
| <tbody> | ||
| {{ range $issues := getJSON "https://gist.githubusercontent.com/nehaLohia27/ffc2c57f0e32ab338d9f2a02b2fc9e7c/raw/431b5527613fca8c4b5bcff3ba1b06d92db47f88/issues" }} | ||
| <tr> | ||
| <td><a href="{{ .cve_url }}">{{ .cve_id }}</a></td> |
There was a problem hiding this comment.
nit:
| <td><a href="{{ .cve_url }}">{{ .cve_id }}</a></td> | |
| <td><a href="{{ .cve_url }}">{{ .cve_id | htmlEscape }}</a></td> |
or
| <td><a href="{{ .cve_url }}">{{ .cve_id }}</a></td> | |
| <td><a href="{{ .cve_url }}" data-cve-id="{{ .cve_id | urlize }}">{{ .cve_id | htmlEscape }}</a></td> |
| {{ range $issues := getJSON "https://gist.githubusercontent.com/nehaLohia27/ffc2c57f0e32ab338d9f2a02b2fc9e7c/raw/431b5527613fca8c4b5bcff3ba1b06d92db47f88/issues" }} | ||
| <tr> | ||
| <td><a href="{{ .cve_url }}">{{ .cve_id }}</a></td> | ||
| <td>{{ .summary }}</td> |
There was a problem hiding this comment.
| <td>{{ .summary }}</td> | |
| <td>{{ .summary | htmlEscape }}</td> |
| </tr> | ||
| </thead> | ||
| <tbody> | ||
| {{ range $issues := getJSON "https://gist.githubusercontent.com/nehaLohia27/ffc2c57f0e32ab338d9f2a02b2fc9e7c/raw/431b5527613fca8c4b5bcff3ba1b06d92db47f88/issues" }} |
There was a problem hiding this comment.
For the real piece, where will we fetch the JSON from?
There was a problem hiding this comment.
@sftim
I have been trying to come up with ideas about where to place this. Would it make sense to create an automated PR workflow like this?
- Prow job runs periodically, and checks for additions in the vulnerabilities list
- An automated PR to
k/websiteis created when a new vulnerability is added to the feed - It goes through usual reviews and is then merged
- The docs page then shows up with the new vulnerability (JSON as well as Table)
Since the vulnerabilities are infrequent (handful of them per year) this flow could work and also allow PR process to pick up any mishaps or invalid inserts.
There was a problem hiding this comment.
I'd prefer to use more automation and avoid relying on approver availability.
There's a similar question about a place to put some JSON, for kubernetes/contributor-site#222
So, although I don't know exactly how we usually hook up Prow job output to cloud object storage, there's the start of a pattern and a strong hint that a reusable answer (that uses automation) is worth chasing.
There was a problem hiding this comment.
@sftim I agree that cloud object storage will make approver availability a non-issue. But I am worried that the object storage without proper authorization and authentication could be a vector of compromise where the CVE data could be tampered with to deface k8s website or misrepresent the number of CVEs.
Having the data (only when a meaningful delta exists, which is less than 10 times a year so far) go through approvals/reviews would not have such a problem. Perhaps this is an opportunity to use OWNERS file and allow SRC + SIG Security chairs and Tooling Lead (me) to be responsible for making sure this page on k/website, gets refreshed as soon as a new CVE is published.
What do you think? @nehaLohia27 please chime in too if you have any thoughts on this!
There was a problem hiding this comment.
@PushkarJ @sftim what if we avoid using cloud object storage, then where will this json be placed ? I am still trying to understand the automated PR workflow process and how prow works with github integration. how would this PR know where to fetch the json from unless it is explicitly hosted somewhere?
There was a problem hiding this comment.
We now have two options to do this discussed in kubernetes/sig-security#32 and kubernetes/sig-security#33
|
✔️ Deploy Preview for kubernetes-io-main-staging ready! 🔨 Explore the source changes: 8870711 🔍 Inspect the deploy log: https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/61c1a8e8f3670b00079e7db0 😎 Browse the preview: https://deploy-preview-31051--kubernetes-io-main-staging.netlify.app |
|
@nehaLohia27 this might be a stretch to ask but are you familiar with Terraform code? Maybe you can directly get involved with the infrastructure SIG? |
|
@sftim I havent work on terraform earlier. But can take a look . whats the ask ? |
|
@nehaLohia27 👋🏻 This PR has been dormant for 2 months is still marked WIP. Please feel free to /close |
|
@zacharysarah: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/reopen |
|
@nehaLohia27: Reopened this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
We do still want this to happen, and the related KEP is tracked for work. |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
@nehaLohia27 should we open a new PR that supersedes this or should we continue on this one? /remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
@PushkarJ I think we can open a new PR.. Once its done will close this one. |
|
/close |
|
@PushkarJ: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
6 participants
Signed-off-by: Neha Lohia [email protected]