[openstack-dev] Would people see a value in the cve-check-tool?

Adam Heczko aheczko at mirantis.com
Mon Aug 3 22:18:12 UTC 2015


Hi Elena, the tool looks very interesting.
Maybe try to spread out this proposal also through openstack-security@ ML.
BTW, I can't find the wrapper mentioned - am I missing something?

Regards,

Adam

On Mon, Aug 3, 2015 at 11:08 PM, Reshetova, Elena <elena.reshetova at intel.com
> wrote:

> Hi,
>
>
>
> We would like to ask opinions if people find it valuable to include a
> cve-check-tool into the OpenStack continuous integration process?
>
> A tool can be run against the package and module dependencies of OpenStack
> components and detect any CVEs (in future there are also plans to integrate
> more functionality to the tool, such as scanning of other vulnerability
> databases and etc.). It would not only provide fast detection of new
> vulnerabilities that are being released for existing dependencies, but also
> control that people are not introducing new vulnerable dependencies.
>
>
>
> The tool is located here: https://github.com/ikeydoherty/cve-check-tool
>
>
>
> I am attaching an example of a very simple Python wrapper for the tool,
> which is able to process formats like:
> http://git.openstack.org/cgit/openstack/requirements/tree/upper-constraints.txt
>
> and an example of html output if you would be running it for the python
> module requests 2.2.1 version (which is vulnerable to 3 CVEs).
>
>
>
> Best Regards,
> Elena.
>
>
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Adam Heczko
Security Engineer @ Mirantis Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150804/959c273a/attachment.html>


More information about the OpenStack-dev mailing list