Keep OSV feed data current and updated #9
Comments
|
@knqyf263 gentle ping, since you were the last to commit, and @chen-keinan since you wrote the code. I think there is a permission issue in https://github.com/kubernetes-sigs/cve-feed-osv/actions/runs/11403286917/job/31730038462 Is this code actually parsing the plain text, unstructured JSON feeds, and merging that with an NVD CVE record? It feels a bit brittle. What if the security team were to create a structured in the first place? There is a process at https://github.com/kubernetes/committee-security-response/blob/main/cna-handbook.md#populate-cve-details-after-public-disclosure that also creates a CVE JSON, and ensuring that they also provide proper version ranges and packages (or even better PURLs) would be awesome. |
|
@pombredanne thanks for the catching it up, I see that the update job is failing due to workflow bot permission, I'll have a look. |
|
@pombredanne after taking a look I see that github action can't create PRs (new CVE for review) due to org permission |
It would be great to keep this CVE feed current and updated.
I discovered its existence in this discussion:
@andrewpollock (who contributes to OSV) wrote in aboutcode-org/vulnerablecode#1661 (comment)
But the repo is not in sync with the latest security feed.
For instance, as of today:
Questions:
The text was updated successfully, but these errors were encountered: