[openstack-dev] [Security] Would people see a value in the cve-check-tool? (Reshetova, Elena)
McPeak, Travis
travis.mcpeak at hp.com
Wed Aug 5 13:14:40 UTC 2015
(Merging thread from security ML)
Bandit probably isn¹t the correct integration point for this - cve-check
has its own analysis procedures while
Bandit uses Python AST. Also I see the use workflows being different.
For Bandit a developer/gate wants to
check a specific code snippet whereas for cve-check to be effective it
really needs to examine the entire
dependency chain.
As Rob and I mentioned earlier a gate process on ³openstack-requirements²
seems like an ideal target for this.
The idea would be anytime a requirement is added (for example to enable a
newer version or an entirely new
library to be used) we could run a cve-check job that ensures the new
library (or version) doesn¹t have any
known CVE¹s against it. This way we can be covered across OpenStack
(since OpenStack projects can¹t use
Libraries that aren¹t in global requirements). The gate processing time
is minimal since it doesn¹t have to
run for each project.
The only concern that I have is the requisite database. Downloading a
500MB + CVE database for the jobs could
become painful. We could either keep the CVE database on each node in the
test pool or download it at the
start of each cve-check job. I¹d be curious what the infra wizards have
to say.
I¹d also really like to see what the baseline results look like. If you
run it against current global
requirements does it find legitimate issues? Does it find false
positives. In any case it seems worth
exploring as vulnerabilities in upstream dependencies are a key weakness
in our current system.
>Hi folks!
>
>Idea really looks good.
>
>I am attaching an example of a very simple Python wrapper for the tool
>
>
>Looks like this wrapper is lightweight. But maybe try to integrate it
>with Bandit and not to create a new tool?
>
>--?
>Victor Ryzhenkin
>freerunner on #freenode
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2751 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150805/4e0ad755/attachment.bin>
More information about the OpenStack-dev
mailing list