[openstack-dev] [Security] Would people see a value in the cve-check-tool? (Reshetova, Elena)
Jeremy Stanley
fungi at yuggoth.org
Wed Aug 5 13:56:18 UTC 2015
On 2015-08-05 13:14:40 +0000 (+0000), McPeak, Travis wrote:
[...]
> The only concern that I have is the requisite database.
> Downloading a 500MB + CVE database for the jobs could become
> painful. We could either keep the CVE database on each node in
> the test pool or download it at the start of each cve-check job.
[...]
Oh, yep that's a whopper. Downloading that during the job is very
likely to make it slow and unreliable. Baking it into our worker
base images is also questionable since we need to be able to boot
them in cloud providers who may give us as little as a 20 GiB root
filesystem device. If it can be compressed or filtered to an order
of magnitude smaller, then that seems more reasonable to work with.
Otherwise we'd need some separate online query service to hold the
database and handle the lookups (either hosted in our infrastructure
or elsewhere).
--
Jeremy Stanley
More information about the OpenStack-dev
mailing list