From 1314b35282cbe881a204838001f5d5e77b0d7d8b Mon Sep 17 00:00:00 2001 From: pnkcaht Date: Fri, 6 Feb 2026 18:47:26 -0500 Subject: [PATCH 1/2] tooling: include OSV JSON data in official CVE feed Signed-off-by: pnkcaht --- .../cve_title_parser.cpython-313.pyc | Bin 0 -> 1346 bytes .../cve-feed/hack/fetch-official-cve-feed.py | 54 +++++++++++++++++- 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 sig-security-tooling/cve-feed/hack/__pycache__/cve_title_parser.cpython-313.pyc diff --git a/sig-security-tooling/cve-feed/hack/__pycache__/cve_title_parser.cpython-313.pyc b/sig-security-tooling/cve-feed/hack/__pycache__/cve_title_parser.cpython-313.pyc new file mode 100644 index 0000000000000000000000000000000000000000..362ec240435a59deb0bf7b3ecbbc386dcdb0e385 GIT binary patch literal 1346 zcmZ8hQES^)6uz>hB$XSdaT_{^ZoPC(7q@W?OEQKwGThp0-Gr=I$tWbPQKcJOu`GG_ zUbkyT!B2bWOJPv9vcdYgw><8#KS9HV4Kc=GPkReEd*8V?a^mEG?z!jaJLi1*bfy0I zxQ@WSYJKaz8b# zqx%;i`x0%6oV03Uusilw(55w{; zRI3Q|?^%=)3>sspA?5)lUvp~NTqY|ehArR04q-NR+uRNOd0j8kIx}<(CW{Qb-Wcw| zICcHHXw??ob-hY>hx&t(PTL~}p0yv7n(MH+;odp?q(Lab@jdLqbnLl|<6t}HgAcni zIbKizJH=3xabRS7#PZ1r@|eTZ0U^s}B<8ak1kFynOld$3T-lbDhgvuRVg3gkCR&u^ zCoXRQo5z;tI+DvHFR+{X?##M4d{}_7ADlo7StZKAR2-@Z<<3M2N+PXgak~*^SIfmx zW$ktifVG>eU))-$-7BuIm#b@0YKT^()oIXaN2A-W?^vD}r3JoHIszwI=TW2yVcI#3 zibFufS&b$^00&-0P3S3!M5D2^QEKRwGV!%YC8K7c5wu95?Kf?!!3(9p?zD){S;2Jc zd6U>3>hh;6ADaaRF^l69L7oSJ2SW=mDZfpKQ)pOrQ$#f>YfT;sI^TX8O~|ceCvVa7 zz#|J6W3Y75!8975cyZ_Xowrl-ds^@8N8R#YsdIm(v*D%Uo0&Hk!|6&deK#Dt`}aHV z{+xQ1dR_c69ja3YV`yUX#m@7cpWX{|MlbzI_x8aEIzRROwePOI&3?Fd^H;5xS^hm! z`YluHWj^n&{E^Cpsmq~yxesFzNH_wHiVu>G!4f4wTFLDfL@$VJMr6l6Z3RxpBg^z6 zgyL7g3b5=a6-DV^L5jXVf-*DRG&p?q^;-D;!k!UcS`JZmU(G7`hlT$TIN9)j Date: Fri, 6 Feb 2026 19:14:08 -0500 Subject: [PATCH 2/2] tooling: include embedded OSV data from CVE issue body Signed-off-by: pnkcaht --- .../cve-feed/hack/fetch-official-cve-feed.py | 62 +++++++++++++------ 1 file changed, 43 insertions(+), 19 deletions(-) diff --git a/sig-security-tooling/cve-feed/hack/fetch-official-cve-feed.py b/sig-security-tooling/cve-feed/hack/fetch-official-cve-feed.py index abcffbe..7d7eb41 100755 --- a/sig-security-tooling/cve-feed/hack/fetch-official-cve-feed.py +++ b/sig-security-tooling/cve-feed/hack/fetch-official-cve-feed.py @@ -18,9 +18,29 @@ import json import requests import sys +import re + from datetime import datetime, timezone from cve_title_parser import parse_cve_title +def extract_osv_from_body(body): + # Extract an embedded OSV JSON object from a CVE issue body. + # New SRC CVE announcements may include the OSV data inline + # as a fenced ```json code block. This helper parses and returns + # that JSON when present. + if not body: + return None + + match = re.search(r"```json\s*(\{.*?\})\s*```", body, re.DOTALL) + if not match: + return None + + try: + return json.loads(match.group(1)) + except json.JSONDecodeError: + return None + + def getCVEStatus(state, state_reason): if state == "open": if state_reason == "reopened": @@ -96,23 +116,18 @@ def getCVEStatus(state, state_reason): first_cve_id = cve_ids[0] cve['id'] = first_cve_id - # Initialize the OSV field as None in case no OSV JSON is available - cve['_kubernetes_io']['osv'] = None + # Try extracting OSV from issue body first (SRC new format) + cve['_kubernetes_io']['osv'] = extract_osv_from_body(item.get('body')) - # Construct the URL to fetch the OSV JSON from the official repository - osv_url = f'https://raw.githubusercontent.com/kubernetes-sigs/cve-feed-osv/main/vulns/{first_cve_id}.json' - - try: - # Attempt to fetch the OSV JSON with a 5-second timeout - res_osv = requests.get(osv_url, timeout=5) - - # If the OSV JSON exists, parse it and store it in the 'osv' field - if res_osv.status_code == 200: - cve['_kubernetes_io']['osv'] = res_osv.json() - - except requests.RequestException: - # If any network error occurs (timeout, connection error, etc.), leave 'osv' as None - cve['_kubernetes_io']['osv'] = None + # Fallback: fetch OSV from cve-feed-osv repository + if cve['_kubernetes_io']['osv'] is None: + osv_url = f'https://raw.githubusercontent.com/kubernetes-sigs/cve-feed-osv/main/vulns/{first_cve_id}.json' + try: + res_osv = requests.get(osv_url, timeout=5) + if res_osv.status_code == 200: + cve['_kubernetes_io']['osv'] = res_osv.json() + except requests.RequestException: + pass cve['external_url'] = f'https://www.cve.org/cverecord?id={first_cve_id}' @@ -132,9 +147,18 @@ def getCVEStatus(state, state_reason): # Set the Google Group URL specific to this CVE additional_cve['_kubernetes_io']['google_group_url'] = f'https://groups.google.com/g/kubernetes-announce/search?q={additional_cve_id}' - # --- Add OSV data for the additional CVE --- - # Initialize the OSV field as None in case no JSON exists - additional_cve['_kubernetes_io']['osv'] = None + additional_cve['_kubernetes_io']['osv'] = extract_osv_from_body(item.get('body')) + + # Fallback: if no embedded OSV was found in the issue body, attempt to fetch + # the OSV JSON from the official cve-feed-osv repository for this CVE. + if additional_cve['_kubernetes_io']['osv'] is None: + additional_osv_url = f'https://raw.githubusercontent.com/kubernetes-sigs/cve-feed-osv/main/vulns/{additional_cve_id}.json' + try: + res_additional_osv = requests.get(additional_osv_url, timeout=5) + if res_additional_osv.status_code == 200: + additional_cve['_kubernetes_io']['osv'] = res_additional_osv.json() + except requests.RequestException: + pass # Construct the URL to fetch the OSV JSON from the official repository additional_osv_url = f'https://raw.githubusercontent.com/kubernetes-sigs/cve-feed-osv/main/vulns/{additional_cve_id}.json'