[openstack-dev] Would people see a value in the cve-check-tool?

Reshetova, Elena elena.reshetova at intel.com
Mon Aug 3 21:08:57 UTC 2015


Hi,

 

We would like to ask opinions if people find it valuable to include a
cve-check-tool into the OpenStack continuous integration process? 

A tool can be run against the package and module dependencies of OpenStack
components and detect any CVEs (in future there are also plans to integrate
more functionality to the tool, such as scanning of other vulnerability
databases and etc.). It would not only provide fast detection of new
vulnerabilities that are being released for existing dependencies, but also
control that people are not introducing new vulnerable dependencies. 

 

The tool is located here: https://github.com/ikeydoherty/cve-check-tool

 

I am attaching an example of a very simple Python wrapper for the tool,
which is able to process formats like:
http://git.openstack.org/cgit/openstack/requirements/tree/upper-constraints.
txt

and an example of html output if you would be running it for the python
module requests 2.2.1 version (which is vulnerable to 3 CVEs). 

 

Best Regards,
Elena.

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150803/5cf40cf3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7586 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150803/5cf40cf3/attachment.bin>


More information about the OpenStack-dev mailing list