<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><div id="bloop_customfont" style="line-height: 19.5px; margin: 0px;">Hi folks!</div><div id="bloop_customfont" style="line-height: 19.5px; margin: 0px;"><br></div><div id="bloop_customfont" style="line-height: 19.5px; margin: 0px;">Idea really looks good.</div><div id="bloop_customfont" style="line-height: 19.5px; margin: 0px;"><br></div><div id="bloop_customfont" style="line-height: 19.5px; margin: 0px;"><blockquote class="clean_bq"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="clean_bq"><div link="#0563C1" vlink="#954F72" lang="FI"><p class="MsoNormal"><span lang="EN-GB">I am attaching an example of a very simple Python wrapper for the tool</span></p></div></blockquote></div></div></blockquote></div><div id="bloop_customfont" style="line-height: 19.5px; margin: 0px;"><br></div><div id="bloop_customfont" style="line-height: 19.5px; margin: 0px;">Looks like this wrapper is lightweight. But maybe try to integrate it with Bandit and not to create a new tool?</div></div> <br> <div id="bloop_sign_1438711573445127936" class="bloop_sign"><div style="font-family:helvetica,arial;font-size:13px">-- <br>Victor Ryzhenkin</div><div style="font-family:helvetica,arial;font-size:13px"><span style="line-height: normal;">freerunner on #freenode</span></div></div> <br><p class="airmail_on" style="color:#000;">Включено 4 августа 2015 г. в 21:04:39, Reshetova, Elena (<a href="mailto:elena.reshetova@intel.com">elena.reshetova@intel.com</a>) написал:</p> <blockquote type="cite" class="clean_bq"><span><div lang="FI" link="blue" vlink="purple" xml:lang="FI"><div></div><div>

<!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

<title></title>

<div class="WordSection1">

<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US" xml:lang="EN-GB">Funny, I originally posted it to the</span>

<span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US" xml:lang="EN-GB">OpenStack Development Mailing List, but I got

suggestion to post it to the security ML instead.</span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US" xml:lang="EN-GB">Anyway, now I have this request in both

places…</span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US" xml:lang="EN-GB"> </span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US" xml:lang="EN-GB">Best Regards,<br>

Elena.</span></p>

<p class="MsoNormal"><a name="_MailEndCompose"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US" xml:lang="EN-GB"> </span></a></p>

<div>

<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif" xml:lang="EN-US">From:</span></b> <span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif" xml:lang="EN-US">Clark, Robert Graham [mailto:robert.clark@hp.com]<br>

<b>Sent:</b> Tuesday, August 4, 2015 10:51 AM<br>

<b>To:</b> Timur Nurlygayanov; Reshetova, Elena<br>

<b>Cc:</b> openstack-security@lists.openstack.org; Heath, Constanza

M; Ding, Jian-feng<br>

<b>Subject:</b> RE: [Openstack-security] Would people see a value

in the cve-check-tool?</span></p>

</div>

</div>

<p class="MsoNormal"> </p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US" xml:lang="EN-GB">Can you move this over to OpenStack Development

Mailing List (<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>)

with the [Security] tag please?</span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US" xml:lang="EN-GB"> </span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US" xml:lang="EN-GB">We’re trying to wind down the security

ML.</span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US" xml:lang="EN-GB"> </span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US" xml:lang="EN-GB">-Rob</span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US" xml:lang="EN-GB"> </span></p>

<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">

<div>

<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif" xml:lang="EN-US">From:</span></b> <span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif" xml:lang="EN-US">Timur Nurlygayanov [<a href="mailto:tnurlygayanov@mirantis.com">mailto:tnurlygayanov@mirantis.com</a>]<br>

<b>Sent:</b> 04 August 2015 18:20<br>

<b>To:</b> Reshetova, Elena<br>

<b>Cc:</b> <a href="mailto:openstack-security@lists.openstack.org">openstack-security@lists.openstack.org</a>;

Heath, Constanza M; Ding, Jian-feng<br>

<b>Subject:</b> Re: [Openstack-security] Would people see a value

in the cve-check-tool?</span></p>

</div>

</div>

<p class="MsoNormal"><span lang="EN-GB" xml:lang="EN-GB"> </span></p>

<div>

<div>

<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-GB" xml:lang="EN-GB">Hi Elena,</span></p>

</div>

<p class="MsoNormal"><span lang="EN-GB" xml:lang="EN-GB">I like the

idea, probably we can prepare some scripts which will allow to run

this tool for any OpenStack components like it is done for Bandit

tool [1].<br>

<br>

[1] <a href="https://github.com/openstack/bandit">https://github.com/openstack/bandit</a></span></p>

</div>

<div>

<p class="MsoNormal"><span lang="EN-GB" xml:lang="EN-GB"> </span></p>

<div>

<p class="MsoNormal"><span lang="EN-GB" xml:lang="EN-GB">On Tue,

Aug 4, 2015 at 8:01 PM, Reshetova, Elena <<a href="mailto:elena.reshetova@intel.com" target="_blank">elena.reshetova@intel.com</a>> wrote:</span></p>

<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" xml:lang="EN-GB">Hi,</span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" xml:lang="EN-GB"> </span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" xml:lang="EN-GB">Sorry for the double posting, I have got a

recommendation to send this to the security mailing list also and

not to the dev one.</span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" xml:lang="EN-GB"> </span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" xml:lang="EN-GB">We would like to ask opinions if people

find it valuable to include a cve-check-tool into the OpenStack

continuous integration process?</span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" xml:lang="EN-GB">A tool can be run against the package and

module dependencies of OpenStack components and detect any CVEs (in

future there are also plans to integrate more functionality to the

tool, such as scanning of other vulnerability databases and etc.).

It would not only provide fast detection of new vulnerabilities

that are being released for existing dependencies, but also control

that people are not introducing new vulnerable

dependencies.</span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" xml:lang="EN-GB"> </span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" xml:lang="EN-GB">The tool is located here: <a href="https://github.com/ikeydoherty/cve-check-tool" target="_blank">https://github.com/ikeydoherty/cve-check-tool</a></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" xml:lang="EN-GB"> </span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" xml:lang="EN-GB">I am attaching an example of a very simple

Python wrapper for the tool, which is able to process formats like:

<a href="http://git.openstack.org/cgit/openstack/requirements/tree/upper-constraints.txt" target="_blank">http://git.openstack.org/cgit/openstack/requirements/tree/upper-constraints.txt</a></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" xml:lang="EN-GB">and an example of html output if you would

be running it for the python module requests 2.2.1 version (which

is vulnerable to 3 CVEs).</span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" xml:lang="EN-GB"> </span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" xml:lang="EN-GB">Best Regards,<br>

Elena.</span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" xml:lang="EN-GB"> </span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" xml:lang="EN-GB"> </span></p>

</div>

</div>

<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-GB" xml:lang="EN-GB"><br>

_______________________________________________<br>

Openstack-security mailing list<br>

<a href="mailto:Openstack-security@lists.openstack.org">Openstack-security@lists.openstack.org</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a></span></p>

</blockquote>

</div>

<p class="MsoNormal"><span lang="EN-GB" xml:lang="EN-GB"><br>

<br clear="all">

<br>

--</span></p>

<div>

<div>

<div>

<div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-GB" xml:lang="EN-GB"> </span></p>

<div>

<p class="MsoNormal"><span lang="EN-GB" style="font-family:"Arial",sans-serif" xml:lang="EN-GB">Timur,</span></p>

</div>

<div>

<p class="MsoNormal"><span lang="EN-GB" style="font-family:"Arial",sans-serif" xml:lang="EN-GB">Senior QA

Engineer</span></p>

</div>

<div>

<p class="MsoNormal"><span lang="EN-GB" style="font-family:"Arial",sans-serif" xml:lang="EN-GB">OpenStack

Projects</span></p>

</div>

<div>

<p class="MsoNormal"><span lang="EN-GB" style="font-family:"Arial",sans-serif" xml:lang="EN-GB">Mirantis

Inc</span></p>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

<hr>_______________________________________________

<br>Openstack-security mailing list

<br>Openstack-security@lists.openstack.org

<br>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security

<br></div></div></span></blockquote></body></html>