Adopting aquasecurity/vuln-list-k8s as a community sub-project
Pushkar Joglekar
Hi fellow Kubernetes SIG Security Members,
As part of graduating our official CVE feed [1] from Beta → Generally Available, we would like to propose adopting https://github.com/aquasecurity/vuln-list-k8s as a SIG Security sponsored Kubernetes Community sub-project. This will allow us to support CVE publication in OSV [2] format for all future publicly announced CVEs by SRC. The generation code [3] for the OSV files will also be adopted and made part of a single repository.
We would like to open a discussion about this adoption with the community to hear your feedback, concerns or questions that you may have. Please reach out to us on #sig-security or by replying to this email to share your thoughts. We will make this decision in a lazy consensus way so please share your feedback by 29 March 2024. If there are no pending concerns that need to be addressed after that, we will move forward with the adoption process outlined in our Community Docs [4]
Look forward to your responses and feedback on this topic.
Regards,
Pushkar Joglekar (SIG Security Tooling Sub-project Lead)
[1] https://kubernetes.io/docs/reference/issues-security/official-cve-feed/
[2] https://google.github.io/osv.dev/faq/
[3] https://github.com/aquasecurity/vuln-list-update/tree/main/k8s
[4] https://github.com/kubernetes/community/blob/master/github-management/kubernetes-repositories.md