[openstack-dev] [Security]Would people see a value in the cve-check-tool?

Bhandaru, Malini K malini.k.bhandaru at intel.com
Tue Aug 11 20:42:26 UTC 2015


Rob, Timur, Travis, and Victor, thank you for your input! We are excited about the feedback.

Added [Security] in subject per Rob’s suggestion. Copied all the security interested parties who responded.

Another place I see value is running periodically against past releases – Icehouse, Juno etc
to catch any vulnerabilities in production systems. When we issue security notes we typically specify any past releases that carry the vulnerability and this would be on par with that.

A developer could introduce a vulnerability in any edit, which bandit would catch. However CVE check would not be such an active threat, running it once a day may  be adequate.

Regards
Malini

From: Clark, Robert Graham [mailto:robert.clark at hp.com]
Sent: Tuesday, August 04, 2015 11:17 AM
To: OpenStack Development Mailing List (not for usage questions)
Cc: Heath, Constanza M; Ding, Jian-feng; Demeter, Michael; Bhandaru, Malini K
Subject: RE: [openstack-dev] Would people see a value in the cve-check-tool?

Hi Elena,

This is interesting work, thanks for posting it (and for posting it here on openstack-dev, we are trying to wind down the security ML) though maybe use the [Security] tag in the subject line next time.

I think this is a very interesting project, though it’s unclear to me who might be the targeted users for this? It seems like it would make the most sense for this to be in the gate. Now this could be the standard build gates (Jenkins etc) but I’m not sure how much sense that makes on its own, after all most production consumers (those who care about CVEs) of OpenStack are probably not consuming it vanilla from source but are more likely to be consuming it from a vendor who’s already packaged it up.

In the latter case, I’m sure vendors would find this tool very useful, we do something similar at HP today but I’m sure a tool like this would add value and it’s probably something we could contribute to.

As I write this I’ve realised that there would be an interesting possibility in the former case (putting this in the upstream OpenStack gates). It would be interesting to see something running that regularly checks for CVE’s in the libraries that _could_ be included in OpenStack, (library requirements within OpenStack often include more than one version) and bumps the version to the next safest and submits a change request for manual verification etc.

-Rob







From: Adam Heczko [mailto:aheczko at mirantis.com]
Sent: 03 August 2015 23:18
To: OpenStack Development Mailing List (not for usage questions)
Cc: Heath, Constanza M; Ding, Jian-feng; Demeter, Michael; Bhandaru, Malini K
Subject: Re: [openstack-dev] Would people see a value in the cve-check-tool?

Hi Elena, the tool looks very interesting.
Maybe try to spread out this proposal also through openstack-security@ ML.
BTW, I can't find the wrapper mentioned - am I missing something?

Regards,

Adam

On Mon, Aug 3, 2015 at 11:08 PM, Reshetova, Elena <elena.reshetova at intel.com<mailto:elena.reshetova at intel.com>> wrote:
Hi,

We would like to ask opinions if people find it valuable to include a cve-check-tool into the OpenStack continuous integration process?
A tool can be run against the package and module dependencies of OpenStack components and detect any CVEs (in future there are also plans to integrate more functionality to the tool, such as scanning of other vulnerability databases and etc.). It would not only provide fast detection of new vulnerabilities that are being released for existing dependencies, but also control that people are not introducing new vulnerable dependencies.

The tool is located here: https://github.com/ikeydoherty/cve-check-tool

I am attaching an example of a very simple Python wrapper for the tool, which is able to process formats like: http://git.openstack.org/cgit/openstack/requirements/tree/upper-constraints.txt
and an example of html output if you would be running it for the python module requests 2.2.1 version (which is vulnerable to 3 CVEs).

Best Regards,
Elena.



__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe<http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



--
Adam Heczko
Security Engineer @ Mirantis Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150811/8dd481c1/attachment.html>


More information about the OpenStack-dev mailing list