tooling: include OSV JSON data in official CVE feed

[Pnkcaht]

What I Did

• Extended the official Kubernetes CVE feed to include OSV JSON data.
• For each CVE issue:
  • First attempt to extract an embedded OSV JSON object from the issue body
    (new SRC CVE announcement format).
  • Fallback to fetching the OSV JSON from the
    kubernetes-sigs/cve-feed-osv repository when no embedded OSV is present.
  • Added the OSV data under the _kubernetes_io["osv"] field.
  • Ensured that both the primary CVE and any additional CVEs referenced in the
    same issue include OSV data.
• Implemented safe network handling with try/except blocks and a timeout=5
  to prevent feed generation failures.
• Maintained backward compatibility: when no OSV data is available, the osv
  field remains None.

Related Issue

• Fixes: tooling: add the OSV CVE information to the official CVE feed #177
• Fixes: tooling: include kubernetes-sigs/cve-feed-osv OSV information in the CVE feed #178
• Fixes: tooling: include new CVE issues JSON OSV blob information in the CVE feed #179

Tests

I picked 2 different CVEs to do the test, in which the first one is related to the correct error, that is, a null return for an expected pattern.The second one is based on the correct pattern related to a CVE with the public OSV.

CVE test with OSV not published

The correct and standard behavior is for the OSV to be null, since this example CVE does not have a published OSV.

CVE with a Public OSV

CVE with public OSV where the expected default behavior is receiving a JSON with the correct information.

Output Terminal

{
  "id": "CVE-2019-11243",
  "osv": {
    "id": "CVE-2019-11243",
    "modified": "2019-04-18T21:31:53Z",
    "published": "2019-04-18T21:31:53Z",
    "summary": "rest.AnonymousClientConfig() does not remove the serviceaccount credentials from config created by rest.InClusterConfig()",
    "details": "In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()",
    "affected": [
      {
        "package": {
          "ecosystem": "kubernetes",
          "name": "k8s.io/client-go"
        },
        "severity": [
          {
            "type": "CVSS_V3",
            "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"
          }
        ],
        "ranges": [
          {
            "type": "SEMVER",
            "events": [
              {
                "introduced": "1.12.0"
              },
              {
                "fixed": "1.12.5"
              },
              {
                "introduced": "1.13.0"
              },
              {
                "fixed": "1.13.1"
              }
            ]
          }
        ]
      }
    ],
    "references": [
      {
        "type": "ADVISORY",
        "url": "https://github.com/kubernetes/kubernetes/issues/76797"
      },
      {
        "type": "ADVISORY",
        "url": "https://www.cve.org/cverecord?id=CVE-2019-11243"
      }
    ]
  }
}

[k8s-ci-robot]

Hi @Pnkcaht. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[PushkarJ]

/ok-to-test
/triage accepted
/sig security

[PushkarJ]

@Pnkcaht Thank you so much for making this contribution. I tested this locally and it works well!

/lgtm
/assign mtardy

[Pnkcaht]

@PushkarJ Thank you my friend, I will be contributing regularly here as well.

[mtardy]

Thanks, it works but I think the patch could be adjusted

[mtardy]

hey you committed a binary file here, please remove

[mtardy]

you already did that on line 82

[mtardy]

It's already none, you can again remove that

[mtardy]

please do not add unnecessary comments on un-related lines to your changes

[mtardy]

could you reuse that code with a function instead of duplicating?

[mtardy]

please match the full "```json osv" because the "```json" can appear in different places in the issue if any json blob is included.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Pnkcaht
Once this PR has been reviewed and has the lgtm label, please ask for approval from mtardy. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• sig-security-tooling/cve-feed/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mtardy]

/hold until we fix the patches

[mtardy]

I picked 2 different CVEs to do the test, in which the first one is related to the correct error, that is, a null return for an expected pattern.The second one is based on the correct pattern related to a CVE with the public OSV.

Also by the way, could you add actual tests that indeed for one coming from the OSV feed repo you have a not null OSV value, and the same from the body of an issue.

[PushkarJ]

@mtardy many of the PR suggestions should be fixed in my follow up PR: #183

I opened this one myself instead of getting those changes in as PR review feedback and delaying the PR merge.