Document guide to interpreting CVSS for Kubernetes

[tallclair]

It's not always clear how CVSS maps to Kubernetes. To help ensure consistency and reduce decision fatigue, we should document how we interpret and use various adjustments to rate vulnerabilities.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[tabbysable]

/triage accepted
/lifecycle frozen

[sunstonesecure-robert]

I would scope this not at a "Kubernetes" system level - but to each "component" of K8s - ie this should probably be tightly coordinated (if not coupled) to the ongoing SBOM efforts

of course there could be an aggregate roll up of CVSS scores into a single score from those component-scoped scores

[tallclair]

@bjornsen is working on this

[bjornsen]

Here's a document I put together with scoring thoughts. Please have a read and comment.

[k8s-triage-robot]

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

• Confirm that this issue is still relevant with /triage accepted (org members only)
• Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted