Open Stack

Sorry, didn’t see the note re:doublepost – I’ll reply on the main thread.
-Rob

From: Clark, Robert Graham
Sent: 04 August 2015 18:51
To: Timur Nurlygayanov; Reshetova, Elena
Cc: openstack-security at lists.openstack.org; Heath, Constanza M; Ding, Jian-feng
Subject: Re: [Openstack-security] Would people see a value in the cve-check-tool?

Can you move this over to OpenStack Development Mailing List (openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>) with the [Security] tag please?

We’re trying to wind down the security ML.

-Rob

From: Timur Nurlygayanov [mailto:tnurlygayanov at mirantis.com]
Sent: 04 August 2015 18:20
To: Reshetova, Elena
Cc: openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>; Heath, Constanza M; Ding, Jian-feng
Subject: Re: [Openstack-security] Would people see a value in the cve-check-tool?

Hi Elena,
I like the idea, probably we can prepare some scripts which will allow to run this tool for any OpenStack components like it is done for Bandit tool [1].

[1] https://github.com/openstack/bandit

On Tue, Aug 4, 2015 at 8:01 PM, Reshetova, Elena <elena.reshetova at intel.com<mailto:elena.reshetova at intel.com>> wrote:
Hi,

Sorry for the double posting, I have got a recommendation to send this to the security mailing list also and not to the dev one.

We would like to ask opinions if people find it valuable to include a cve-check-tool into the OpenStack continuous integration process?
A tool can be run against the package and module dependencies of OpenStack components and detect any CVEs (in future there are also plans to integrate more functionality to the tool, such as scanning of other vulnerability databases and etc.). It would not only provide fast detection of new vulnerabilities that are being released for existing dependencies, but also control that people are not introducing new vulnerable dependencies.

The tool is located here: https://github.com/ikeydoherty/cve-check-tool

I am attaching an example of a very simple Python wrapper for the tool, which is able to process formats like: http://git.openstack.org/cgit/openstack/requirements/tree/upper-constraints.txt
and an example of html output if you would be running it for the python module requests 2.2.1 version (which is vulnerable to 3 CVEs).

Best Regards,
Elena.



_______________________________________________
Openstack-security mailing list
Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security



--

Timur,
Senior QA Engineer
OpenStack Projects
Mirantis Inc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20150804/87248981/attachment.html>