Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: PushkarJ The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
approved
|
/hold These are open issues, so need to gain consensus on whether they should be part of this feed or not |
k8s-ci-robot
added
the
do-not-merge/hold
|
Related to this: kubernetes/sig-security#135 |
|
Per discussion in SIG Security meeting on Feb 6 2026, we would like to get these open unfixed CVEs published here in order to maintain parity with the Kubernetes Official CVE Feed |
|
During the SIG Security Tooling meeting Feb 13 2026, we noticed that these generated documents incorrectly state that these CVEs are fixed starting from (next version after publication). I assume this is just an artifact of some assumptions baked into the generation tooling. Let's not merge these until we can get that fixed, to prevent these OSV documents from being misleading. |
|
Sounds like we need to remove the last affected field for these unfixed CVEs based on this example : https://ossf.github.io/osv-schema/#examples |
|
Interestingly I found that there are two PR (one merged) to fix one of these CVEs in GHSA Db: https://github.com/github/advisory-database/pulls?q=is%3Apr+author%3Aenj+is%3Aclosed by our very own @enj . But sadly the changes are not reflected in main GHSA OSV files seem to face the same issue as our PR currently |
Changes `introduced` to v0.0.1 and removes fixed version as there is no fix available
Reflect no fix and all versions affected status from github issue
PushkarJ
force-pushed
the
vulns-CVE-2021-25740.json
branch
from
7ccb328 to
e6e2e6f
Compare
3 participants
This PR updates vulns/CVE-2021-25740.json