@oliviergoulet has discussed in the call today, Hugo is creating an XML because it belive that known is a new section. We should be able to remove this by renaming _index.md to index.md:
Well, the point was that I'd like to actually have the RSS feed correctly filled.
Are we supposed to manually poll/look at https://www.eclipse.org/security/known/ every few days/weeks to know about CVEs in Eclipse projects?
I have some sample XML formatted, and I've added some basic information about the CVEs into the feed. There is a junk items feed that I'm not honestly sure how to manipulate off the bat, but the rest should be enough to work with:
<rdf:RDFxmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"xmlns="http://purl.org/rss/1.0/"xmlns:dc="http://purl.org/dc/elements/1.1/"><channelrdf:about="https://eclipse.org/security/known/rss.xml"><title>Eclipse Foundation Project CVE database</title><link>https://eclipse.org/security/known/rss.xml</link><description>Disclosed CVE records pertaining to Eclipse Foundation projects.</description><items><rdf:Seq><rdf:li/> ...</rdf:Seq></items><dc:creator>Eclipse Foundation WebDev</dc:creator><dc:date>2024-03-28T19:03:32Z</dc:date><dc:language>en-gb</dc:language></channel><itemrdf:about="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7649"><title>CVE-2017-7649</title><link>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7649</link><description>The network enabled distribution of Kura before 2.1.0 takes control over the device's firewall setup but does not allow IPv6 firewall rules to be configured. Still the Equinox console port 5002 is left open, allowing to log into Kura without any user credentials over unencrypted telnet and executing commands using the Equinox "exec" command. As the process is running as "root" full control over the device can be acquired. IPv6 is also left in auto-configuration mode, accepting router advertisements automatically and assigns a MAC address based IPv6 address.</description><dc:date>2017-04-14T04:00:00Z</dc:date></item><itemrdf:about="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7650"><title>CVE-2017-7650</title><link>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7650</link><description>In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.</description><dc:date>2017-05-17T04:00:00Z</dc:date></item>
I'm pretty sure you meant 2023 and not 2022 in this case, but you're right. @mbarbero as the security head, who should I pass this along to to get the source updated? We should probably update our CVE list to include new CVE records like this one
The RSS feed is now live under https://api.eclipse.org/cve/rss.xml. Do we want to put an nginx rule to proxy the request, or use something else to make the content available?
Looking into this, it's sticky since it's going across domains and has to be routed through the HAP in OKD through location matching. I think updating the link header and the XML to just indicate the current URL would be cleaner and require less weird handling.
With the current link being empty and never implemented afaik, this should be a pretty safe switch. WDYT?
Hm. It looks like whenever we migrated that page to Hugo, that link tag was lost in the shuffle. We'll need to make a patch for that. Do we need that to be in the source, or can we inject it post load with JS?
EDIT: I figure we can just inject with JS, but I want to do a quick patch for this so we can finish up this request.
Hm. It looks like whenever we migrated that page to Hugo, that link tag was lost in the shuffle
The known page had an RSS feed because it was implemented as a new section rather than a new page. Hugo will include an RSS feed on a section page since it would be expected that the section has sub-pages. We fixed that via eclipsefdn/it/websites/eclipse.org!131 (diffs)
It's the difference between _index.md and index.md.
An idea to allow us to inject the link tag would be to modify our head.html partial to allow us to insert HTML using the page's front matter.