[openstack-dev] Would people see a value in the cve-check-tool?

Jeremy Stanley fungi at yuggoth.org
Tue Aug 4 20:31:04 UTC 2015


On 2015-08-04 18:17:13 +0000 (+0000), Clark, Robert Graham wrote:
[...]
> As I write this I’ve realised that there would be an interesting
> possibility in the former case (putting this in the upstream
> OpenStack gates). It would be interesting to see something running
> that regularly checks for CVE’s in the libraries that _could_ be
> included in OpenStack, (library requirements within OpenStack
> often include more than one version) and bumps the version to the
> next safest and submits a change request for manual verification
> etc.

On a separate (private) E-mail thread where I recommended restarting
this discussion here in public, that was more or less the intent. We
have a mechanism for the openstack/requirements repo presently which
resolves the current highest versions of all dependencies (including
all their transitive dependencies) declared in the
global-requirements.txt file and updates a file called
upper-constraints.txt with the result. The proposed check tool
could, in theory, consume this upper-constraints.txt and so run and
report periodically on the state of package versions declared in
that file.

To take things a step further, when someone proposes a change to
global-requirements.txt, a check job could generate the new
upper-constraints.txt which would result from that and feed it into
this CVE tool, reporting back on whether that proposed change would
bring in any known-vulnerable versions of packages. This would most
likely operate only in an advisory fashion, providing information to
reviewers of requirements changes and any other interested parties,
since I can envision circumstances under which its results would
need to be temporarily ignored/overridden.

All that is to say, I think the infrastructure integration for this
is pretty straightforward. What I'd rather see first is people
trying out the tool, finding out what it tells us about the present
state of our requirements list, whether it's reliable or needs
further work, whether its featureset is already sufficient, et
cetera.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150804/f5857882/attachment.pgp>


More information about the OpenStack-dev mailing list