[Openstack-security] Would people see a value in the cve-check-tool?

Victor Ryzhenkin vryzhenkin at mirantis.com
Tue Aug 4 18:07:27 UTC 2015 

Hi folks!

Idea really looks good.

I am attaching an example of a very simple Python wrapper for the tool


Looks like this wrapper is lightweight. But maybe try to integrate it with Bandit and not to create a new tool?

-- 
Victor Ryzhenkin
freerunner on #freenode

Включено 4 августа 2015 г. в 21:04:39, Reshetova, Elena (elena.reshetova at intel.com) написал:

Funny, I originally posted it to the OpenStack Development Mailing List, but I got suggestion to post it to the security ML instead.

Anyway, now I have this request in both places…

 

Best Regards,
Elena.

 

From: Clark, Robert Graham [mailto:robert.clark at hp.com]
Sent: Tuesday, August 4, 2015 10:51 AM
To: Timur Nurlygayanov; Reshetova, Elena
Cc: openstack-security at lists.openstack.org; Heath, Constanza M; Ding, Jian-feng
Subject: RE: [Openstack-security] Would people see a value in the cve-check-tool?

 

Can you move this over to OpenStack Development Mailing List (openstack-dev at lists.openstack.org) with the [Security] tag please?

 

We’re trying to wind down the security ML.

 

-Rob

 

From: Timur Nurlygayanov [mailto:tnurlygayanov at mirantis.com]
Sent: 04 August 2015 18:20
To: Reshetova, Elena
Cc: openstack-security at lists.openstack.org; Heath, Constanza M; Ding, Jian-feng
Subject: Re: [Openstack-security] Would people see a value in the cve-check-tool?

 

Hi Elena,

I like the idea, probably we can prepare some scripts which will allow to run this tool for any OpenStack components like it is done for Bandit tool [1].

[1] https://github.com/openstack/bandit

 

On Tue, Aug 4, 2015 at 8:01 PM, Reshetova, Elena <elena.reshetova at intel.com> wrote:

Hi,

 

Sorry for the double posting, I have got a recommendation to send this to the security mailing list also and not to the dev one.

 

We would like to ask opinions if people find it valuable to include a cve-check-tool into the OpenStack continuous integration process?

A tool can be run against the package and module dependencies of OpenStack components and detect any CVEs (in future there are also plans to integrate more functionality to the tool, such as scanning of other vulnerability databases and etc.). It would not only provide fast detection of new vulnerabilities that are being released for existing dependencies, but also control that people are not introducing new vulnerable dependencies.

 

The tool is located here: https://github.com/ikeydoherty/cve-check-tool

 

I am attaching an example of a very simple Python wrapper for the tool, which is able to process formats like: http://git.openstack.org/cgit/openstack/requirements/tree/upper-constraints.txt

and an example of html output if you would be running it for the python module requests 2.2.1 version (which is vulnerable to 3 CVEs).

 

Best Regards,
Elena.

 

 


_______________________________________________
Openstack-security mailing list
Openstack-security at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security




--

 

Timur,

Senior QA Engineer

OpenStack Projects

Mirantis Inc

_______________________________________________  
Openstack-security mailing list  
Openstack-security at lists.openstack.org  
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20150804/b452bfa5/attachment.html>

More information about the Openstack-security mailing list