[openstack-dev] Would people see a value in the cve-check-tool?

Jeremy Stanley fungi at yuggoth.org
Tue Aug 4 21:51:47 UTC 2015


On 2015-08-04 20:37:37 +0000 (+0000), Ian Cordasco wrote:
[...]
> When I tried bumping the version for the first two, we had a discussion
> about the impact to OpenStack and it was decided that there wasn't a
> necessity to bump the version. There was no need to have a discussion
> about 3 because (as far as I'm aware) there isn't any service that uses
> cookies so that also doesn't have any effect.
> 
> Being aware of these CVEs is one thing and would be nice. If we can
> determine that a CVE affects us, we most certainly should bump the minimum
> required version of that library in OpenStack. That said, part of the
> argument against increasing the lower bound on requests (at the time) was
> due to packagers not wanting to or being able to (I forget which) package
> the newer version (and no the review was not sent to a stable/* branch).
> So if we're going to be conflicting with downstream re-distributors, then
> this might be harder than we think.
[...]

I don't think the intent of this is to blacklist potentially
vulnerable versions of dependencies, it's to help us not prevent the
use of fixed versions. Evaluating our upper-constraints.txt would in
theory let us know:

1. dependencies which have been basically abandoned by their
   caretakers and have fallen into a vulnerable state, so
   potentially need assistance from our community

2. dependencies on which we have a restrictive upper bound, which
   prevents our users from consuming a release where some
   vulnerability has been fixed

Arguably also 3. lots of CVEs which aren't applicable for some
reason, so we likely need a means to whitelist those and filter them
from the report.
-- 
Jeremy Stanley



More information about the OpenStack-dev mailing list