Skip to content

[Draft] VEX Feed & generator tooling#200

Draft
PushkarJ wants to merge 4 commits into
kubernetes:mainfrom
PushkarJ:vex-feed-collection
Draft

[Draft] VEX Feed & generator tooling#200
PushkarJ wants to merge 4 commits into
kubernetes:mainfrom
PushkarJ:vex-feed-collection

Conversation

@PushkarJ

@PushkarJ PushkarJ commented Jul 1, 2026

Copy link
Copy Markdown
Member

Summary

Adds an OpenVEX v0.2.0 feed under sig-security-tooling/vex-feed/
recording whether Kubernetes is affected by CVEs raised in closed
kubernetes/kubernetes issues, plus Go tooling to build and extend it.

Scope: the 10 newest closed issues where a reporter identified a CVE
and asked maintainers to address it. Per-issue documents in files/
are the source of truth; a generator merges them into one deduped
feed (21 statements). All documents validate with vexctl.

Written in preparation for draft VEX KEP: https://docs.google.com/document/d/1JdCYfwBU-1eoDSKa0lFL_VfVr3du2-gDT3RhILETUrQ/edit?tab=t.0#heading=h.q7lenqm942ry

This PR was written in part with the assistance of generative AI.

Special notes for your reviewer

  • The hack/build-feed and hack/new-issue tools are Go (not shell/Python),
    following the conventions of this repo's other Go tool (srctl). Their
    Document/Statement types come from the upstream
    github.com/openvex/go-vex module rather than being hand-rolled, so
    status/justification values get real enum validation for free; see
    commit 2 below for a go-vex MarshalJSON HTML-escaping bug this had to
    work around.
  • Covered by unit tests plus a regression test that rebuilds the feed from
    the real, committed per-issue files and merge-overrides.json and diffs
    it against the committed kubernetes-vex-feed-draft.openvex.json.
  • To verify locally: cd sig-security-tooling/vex-feed && go build ./... && go test ./....
  • This PR was drafted with AI assistance (commit content, Go implementation,
    and this description); I've read and tested every change myself and can
    walk through any part of it on request.
  • This is a large PR by line count (mostly generated per-issue JSON data).
    Happy to split the generator/scaffolding tooling into a follow-up PR
    if reviewers would prefer smaller, independently-mergeable pieces.

Per-commit

1. vex-feed: add kubernetes vex feed (56454bc)

Adds the per-issue OpenVEX documents (files/issue-<n>.openvex.json),
the combined feed (kubernetes-vex-feed-draft.openvex.json, deduped
to one statement per CVE), and the README. Statuses reflect each
issue's resolution: Go-stdlib/dependency CVEs remediated by version
bumps are fixed, unreachable code is not_affected with a
justification, and unconfirmed reachability is under_investigation.

2. vex-feed: add generator that builds the feed (ccd832c)

Adds hack/build-feed (Go), which merges the per-issue documents into
the combined feed, deduped per CVE. Merged notes for multi-issue CVEs
come from hack/merge-overrides.json; conflicting status or
justification stops the build. Running with --check verifies the
committed feed is current (for CI).

The Document/Statement types come from github.com/openvex/go-vex
rather than being hand-rolled; hack/openvex re-exports them and adds
the Load/Save helpers this repo's tools need. Save also works
around a go-vex bug: VEX.MarshalJSON normalizes timestamps by routing
through the package-level json.Marshal internally, which
unconditionally HTML-escapes angle brackets and ampersand in status
notes regardless of the encoder's SetEscapeHTML(false) — left
unfixed, a note like "bumped to >= v0.55.0" would silently come out
as an unreadable Unicode escape on the next regeneration.

Note: merging duplicate-issue CVEs into merge-overrides.json is a
manual, one-time curation step per CVE — worth doing for the existing
duplicates in this feed, but not something the tool automates.

3. vex-feed: add tool to scaffold per-issue docs (64d9dc1)

Adds hack/new-issue (Go), which fetches an issue, extracts its CVE
IDs, and writes a files/issue-<n>.openvex.json stub (one statement
per CVE, under_investigation, notes as TODO) for a human to
complete. It sets the document identifier to the issue URL and
refuses to overwrite an existing file.

4. vex-feed: walk through a maintainer feed update (7ab4169)

A worked example of the maintainer update workflow: re-reading a
source issue showed its golang.org/x/net dependency had been bumped
past the vulnerable range (>= v0.55.0), so the statement moves from
under_investigation to fixed. The per-issue document is edited,
its notes updated with the evidence, and the feed regenerated with
hack/build-feed — the normal change shape.

What is not covered

  • KEP writing will be covered in separate k/enhancements proposal
  • Move to .vex directory of k/k will be done perhaps after we pass the beta feature gate on VEX KEP
  • Providing the vex json file accessible via k8s.io domain name
  • Bot replies to new issues based on vex document
  • Label based PR creation to add new VEX files for newly created issues

Related #116

@kubernetes-prow

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@kubernetes-prow kubernetes-prow Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 1, 2026
@kubernetes-prow

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: PushkarJ
Once this PR has been reviewed and has the lgtm label, please assign cailyn-codes for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubernetes-prow
kubernetes-prow Bot requested review from IanColdwater and mtardy July 1, 2026 22:29
@kubernetes-prow kubernetes-prow Bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jul 1, 2026
Add an OpenVEX v0.2.0 feed recording whether Kubernetes is affected by
CVEs raised in closed kubernetes/kubernetes issues, and how each was
resolved.

This covers 10 closed issues where a reporter identified a CVE and
asked maintainers to address it. Each per-issue document under files/
is the source of truth; the combined feed
(kubernetes-vex-feed-draft.openvex.json) is deduped to one statement
per CVE (21 statements). Statuses: dependency and Go stdlib CVEs
remediated by version bumps are fixed, cases with no reachable
vulnerable code are not_affected with a justification, and unconfirmed
reachability is under_investigation.

Signed-off-by: Pushkar Joglekar <pushkar.joglekar@broadcom.com>
@PushkarJ
PushkarJ force-pushed the vex-feed-collection branch from 780fe0a to 2d9d8f3 Compare July 1, 2026 22:58
Add hack/build-feed (Go), which merges the per-issue OpenVEX documents
under files/ into the combined feed, deduped to one statement per CVE.
Notes for CVEs reported by more than one issue come from
hack/merge-overrides.json; status and justification must agree across
sources or the build stops. Run it with --check in CI to catch a
stale feed.

The OpenVEX Document/Statement types come from the upstream
github.com/openvex/go-vex module rather than being hand-rolled here;
hack/openvex re-exports them and adds the Load/Save helpers this
repo's tools need. Save() also works around a go-vex bug: VEX.MarshalJSON
normalizes timestamps by routing through the package-level json.Marshal
internally, which unconditionally HTML-escapes the angle brackets and
ampersand in status notes (turning a version comparison into an
unreadable Unicode escape) regardless of the encoder's
SetEscapeHTML(false). Covered by unit tests plus a regression test that
rebuilds the feed from the real per-issue files and
merge-overrides.json and diffs it against the committed
kubernetes-vex-feed-draft.openvex.json.

Also documents the generator in the README.

Signed-off-by: Pushkar Joglekar <pushkar.joglekar@broadcom.com>
@PushkarJ
PushkarJ force-pushed the vex-feed-collection branch 2 times, most recently from 32bd34f to 1544c82 Compare July 2, 2026 23:41
return *doc, nil
}

// htmlEscapes undoes the HTML escaping vex.VEX.MarshalJSON always applies to

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Concretely, a status note like "...vendors golang.org/x/net >= v0.55.0..." comes out as "...vendors golang.org/x/net \u003e= v0.55.0..." — technically valid JSON, but unreadable, and it happened silently. I found this by literally diffing the reformatted output against the original file and noticing >= had turned into \u003e=.

@PushkarJ
PushkarJ force-pushed the vex-feed-collection branch from 1544c82 to 3c05881 Compare July 3, 2026 00:00
PushkarJ added 2 commits July 3, 2026 18:54
Add hack/new-issue (Go), which fetches a kubernetes/kubernetes issue
with gh, extracts the CVE IDs it mentions, and writes a
files/issue-<n>.openvex.json stub (one statement per CVE, status
under_investigation, notes as TODO) for a human to complete. It sets
the document identifier to the issue URL and refuses to overwrite an
existing file. The VEX determination stays a manual step.

Reuses the hack/openvex package added alongside build-feed for the
document types and JSON save helper.

Signed-off-by: Pushkar Joglekar <pushkar.joglekar@broadcom.com>
Demonstrate the intended maintainer workflow for updating the feed as
new information about an issue comes in.

Re-reading issue #140092 showed that golang.org/x/net was bumped past
the vulnerable range (now >= v0.55.0), so CVE-2026-39821 moves from
under_investigation to fixed. The per-issue document is edited, its
status_notes filled in with the evidence and the fixing PRs, and the
combined feed is regenerated with hack/build-feed; the README table is
updated to match.

This is the normal change shape: edit a file under files/, run the
generator, and commit the regenerated feed alongside it.

Signed-off-by: Pushkar Joglekar <pushkar.joglekar@broadcom.com>
@PushkarJ
PushkarJ force-pushed the vex-feed-collection branch from 3c05881 to 7ab4169 Compare July 4, 2026 01:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant