[openstack-dev] Would people see a value in the cve-check-tool?

Reshetova, Elena elena.reshetova at intel.com
Tue Aug 4 15:05:48 UTC 2015 

Hi Adam, 

 

Thank you for your suggestion! I will send also this proposal to openstack-security at .

I have previously attached the wrapper python class to the email, but it seems that it didn’t reach people. Let me try again (now in a form of an archive) and see if it goes through this time. 

 

Best Regards,
Elena.

 

From: Adam Heczko [mailto:aheczko at mirantis.com] 
Sent: Monday, August 3, 2015 3:18 PM
To: OpenStack Development Mailing List (not for usage questions)
Cc: Heath, Constanza M; Ding, Jian-feng; Demeter, Michael; Bhandaru, Malini K
Subject: Re: [openstack-dev] Would people see a value in the cve-check-tool?

 

Hi Elena, the tool looks very interesting.

Maybe try to spread out this proposal also through openstack-security@ ML.

BTW, I can't find the wrapper mentioned - am I missing something?

 

Regards,

 

Adam

 

On Mon, Aug 3, 2015 at 11:08 PM, Reshetova, Elena <elena.reshetova at intel.com <mailto:elena.reshetova at intel.com> > wrote:

Hi,

 

We would like to ask opinions if people find it valuable to include a cve-check-tool into the OpenStack continuous integration process? 

A tool can be run against the package and module dependencies of OpenStack components and detect any CVEs (in future there are also plans to integrate more functionality to the tool, such as scanning of other vulnerability databases and etc.). It would not only provide fast detection of new vulnerabilities that are being released for existing dependencies, but also control that people are not introducing new vulnerable dependencies. 

 

The tool is located here: https://github.com/ikeydoherty/cve-check-tool

 

I am attaching an example of a very simple Python wrapper for the tool, which is able to process formats like: http://git.openstack.org/cgit/openstack/requirements/tree/upper-constraints.txt

and an example of html output if you would be running it for the python module requests 2.2.1 version (which is vulnerable to 3 CVEs). 

 

Best Regards,
Elena.

 

 


__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe> 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev





 

-- 

Adam Heczko

Security Engineer @ Mirantis Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150804/cd876572/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wrapper.zipx
Type: application/octet-stream
Size: 3775 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150804/cd876572/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7586 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150804/cd876572/attachment.bin>

More information about the OpenStack-dev mailing list