[Openstack-security] Openstack-security Digest, Vol 30, Issue 4
McPeak, Travis
travis.mcpeak at hp.com
Tue Aug 4 17:56:32 UTC 2015
Hi Elena,
IMO this would make a great gate process. In particular if cve-check were
implemented as a gate in requirements, we could detect when a new
vulnerable
version of a project is made available for use in OpenStack.
Have you run the tool against the current requirements list? I¹d be
curious to see what the baseline results look like.
Thanks,
-Travis
On 8/4/15, 11:15 AM, "openstack-security-request at lists.openstack.org"
<openstack-security-request at lists.openstack.org> wrote:
>Sorry for the double posting, I have got a recommendation to send this to
>the security mailing list also and not to the dev one.
>
>
>We would like to ask opinions if people find it valuable to include a
>cve-check-tool into the OpenStack continuous integration process?
>
>A tool can be run against the package and module dependencies of OpenStack
>components and detect any CVEs (in future there are also plans to
>integrate
>more functionality to the tool, such as scanning of other vulnerability
>databases and etc.). It would not only provide fast detection of new
>vulnerabilities that are being released for existing dependencies, but
>also
>control that people are not introducing new vulnerable dependencies.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2751 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20150804/90ba98f4/attachment.bin>
More information about the Openstack-security
mailing list