On 08/03/2015 04:08 PM, Reshetova, Elena wrote: > Hi, > > > > We would like to ask opinions if people find it valuable to include a > cve-check-tool into the OpenStack continuous integration process? > > A tool can be run against the package and module dependencies of OpenStack > components and detect any CVEs (in future there are also plans to integrate > more functionality to the tool, such as scanning of other vulnerability > databases and etc.). It would not only provide fast detection of new > vulnerabilities that are being released for existing dependencies, but also > control that people are not introducing new vulnerable dependencies. > > > > The tool is located here: https://github.com/ikeydoherty/cve-check-tool > > > > I am attaching an example of a very simple Python wrapper for the tool, > which is able to process formats like: > http://git.openstack.org/cgit/openstack/requirements/tree/upper-constraints. > txt > > and an example of html output if you would be running it for the python > module requests 2.2.1 version (which is vulnerable to 3 CVEs). > > > > Best Regards, > Elena. > > > > > > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > As a packager I love this :D -- -- Matthew Thode (prometheanfire) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150804/b320b537/attachment.pgp>