[Draft] VEX Feed & generator tooling#200
Conversation
|
Skipping CI for Draft Pull Request. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: PushkarJ The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Add an OpenVEX v0.2.0 feed recording whether Kubernetes is affected by CVEs raised in closed kubernetes/kubernetes issues, and how each was resolved. This covers 10 closed issues where a reporter identified a CVE and asked maintainers to address it. Each per-issue document under files/ is the source of truth; the combined feed (kubernetes-vex-feed-draft.openvex.json) is deduped to one statement per CVE (21 statements). Statuses: dependency and Go stdlib CVEs remediated by version bumps are fixed, cases with no reachable vulnerable code are not_affected with a justification, and unconfirmed reachability is under_investigation. Signed-off-by: Pushkar Joglekar <pushkar.joglekar@broadcom.com>
780fe0a to
2d9d8f3
Compare
Add hack/build-feed (Go), which merges the per-issue OpenVEX documents under files/ into the combined feed, deduped to one statement per CVE. Notes for CVEs reported by more than one issue come from hack/merge-overrides.json; status and justification must agree across sources or the build stops. Run it with --check in CI to catch a stale feed. The OpenVEX Document/Statement types come from the upstream github.com/openvex/go-vex module rather than being hand-rolled here; hack/openvex re-exports them and adds the Load/Save helpers this repo's tools need. Save() also works around a go-vex bug: VEX.MarshalJSON normalizes timestamps by routing through the package-level json.Marshal internally, which unconditionally HTML-escapes the angle brackets and ampersand in status notes (turning a version comparison into an unreadable Unicode escape) regardless of the encoder's SetEscapeHTML(false). Covered by unit tests plus a regression test that rebuilds the feed from the real per-issue files and merge-overrides.json and diffs it against the committed kubernetes-vex-feed-draft.openvex.json. Also documents the generator in the README. Signed-off-by: Pushkar Joglekar <pushkar.joglekar@broadcom.com>
32bd34f to
1544c82
Compare
| return *doc, nil | ||
| } | ||
|
|
||
| // htmlEscapes undoes the HTML escaping vex.VEX.MarshalJSON always applies to |
There was a problem hiding this comment.
Concretely, a status note like "...vendors golang.org/x/net >= v0.55.0..." comes out as "...vendors golang.org/x/net \u003e= v0.55.0..." — technically valid JSON, but unreadable, and it happened silently. I found this by literally diffing the reformatted output against the original file and noticing >= had turned into \u003e=.
1544c82 to
3c05881
Compare
Add hack/new-issue (Go), which fetches a kubernetes/kubernetes issue with gh, extracts the CVE IDs it mentions, and writes a files/issue-<n>.openvex.json stub (one statement per CVE, status under_investigation, notes as TODO) for a human to complete. It sets the document identifier to the issue URL and refuses to overwrite an existing file. The VEX determination stays a manual step. Reuses the hack/openvex package added alongside build-feed for the document types and JSON save helper. Signed-off-by: Pushkar Joglekar <pushkar.joglekar@broadcom.com>
Demonstrate the intended maintainer workflow for updating the feed as new information about an issue comes in. Re-reading issue #140092 showed that golang.org/x/net was bumped past the vulnerable range (now >= v0.55.0), so CVE-2026-39821 moves from under_investigation to fixed. The per-issue document is edited, its status_notes filled in with the evidence and the fixing PRs, and the combined feed is regenerated with hack/build-feed; the README table is updated to match. This is the normal change shape: edit a file under files/, run the generator, and commit the regenerated feed alongside it. Signed-off-by: Pushkar Joglekar <pushkar.joglekar@broadcom.com>
3c05881 to
7ab4169
Compare
Summary
Adds an OpenVEX v0.2.0 feed under
sig-security-tooling/vex-feed/recording whether Kubernetes is affected by CVEs raised in closed
kubernetes/kubernetes issues, plus Go tooling to build and extend it.
Scope: the 10 newest closed issues where a reporter identified a CVE
and asked maintainers to address it. Per-issue documents in
files/are the source of truth; a generator merges them into one deduped
feed (21 statements). All documents validate with
vexctl.Written in preparation for draft VEX KEP: https://docs.google.com/document/d/1JdCYfwBU-1eoDSKa0lFL_VfVr3du2-gDT3RhILETUrQ/edit?tab=t.0#heading=h.q7lenqm942ry
Special notes for your reviewer
hack/build-feedandhack/new-issuetools are Go (not shell/Python),following the conventions of this repo's other Go tool (
srctl). TheirDocument/Statementtypes come from the upstreamgithub.com/openvex/go-vexmodule rather than being hand-rolled, sostatus/justification values get real enum validation for free; see
commit 2 below for a go-vex
MarshalJSONHTML-escaping bug this had towork around.
the real, committed per-issue files and
merge-overrides.jsonand diffsit against the committed
kubernetes-vex-feed-draft.openvex.json.cd sig-security-tooling/vex-feed && go build ./... && go test ./....and this description); I've read and tested every change myself and can
walk through any part of it on request.
Happy to split the generator/scaffolding tooling into a follow-up PR
if reviewers would prefer smaller, independently-mergeable pieces.
Per-commit
1. vex-feed: add kubernetes vex feed (56454bc)
Adds the per-issue OpenVEX documents (
files/issue-<n>.openvex.json),the combined feed (
kubernetes-vex-feed-draft.openvex.json, dedupedto one statement per CVE), and the README. Statuses reflect each
issue's resolution: Go-stdlib/dependency CVEs remediated by version
bumps are
fixed, unreachable code isnot_affectedwith ajustification, and unconfirmed reachability is
under_investigation.2. vex-feed: add generator that builds the feed (ccd832c)
Adds
hack/build-feed(Go), which merges the per-issue documents intothe combined feed, deduped per CVE. Merged notes for multi-issue CVEs
come from
hack/merge-overrides.json; conflicting status orjustification stops the build. Running with
--checkverifies thecommitted feed is current (for CI).
The
Document/Statementtypes come fromgithub.com/openvex/go-vexrather than being hand-rolled;
hack/openvexre-exports them and addsthe
Load/Savehelpers this repo's tools need.Savealso worksaround a go-vex bug:
VEX.MarshalJSONnormalizes timestamps by routingthrough the package-level
json.Marshalinternally, whichunconditionally HTML-escapes angle brackets and ampersand in status
notes regardless of the encoder's
SetEscapeHTML(false)— leftunfixed, a note like "bumped to
>= v0.55.0" would silently come outas an unreadable Unicode escape on the next regeneration.
Note: merging duplicate-issue CVEs into
merge-overrides.jsonis amanual, one-time curation step per CVE — worth doing for the existing
duplicates in this feed, but not something the tool automates.
3. vex-feed: add tool to scaffold per-issue docs (64d9dc1)
Adds
hack/new-issue(Go), which fetches an issue, extracts its CVEIDs, and writes a
files/issue-<n>.openvex.jsonstub (one statementper CVE,
under_investigation, notes as TODO) for a human tocomplete. It sets the document identifier to the issue URL and
refuses to overwrite an existing file.
4. vex-feed: walk through a maintainer feed update (7ab4169)
A worked example of the maintainer update workflow: re-reading a
source issue showed its
golang.org/x/netdependency had been bumpedpast the vulnerable range (>= v0.55.0), so the statement moves from
under_investigationtofixed. The per-issue document is edited,its notes updated with the evidence, and the feed regenerated with
hack/build-feed— the normal change shape.What is not covered
.vexdirectory of k/k will be done perhaps after we pass thebetafeature gate on VEX KEPRelated #116